Critical Vulnerability in Jenkins CLI Could Enable Remote Code Execution

Coding script text on screen. Notebook closeup photo.

Image source: Shutterstock

CVE-2024-23897 is the most serious of 12 vulnerabilities that the Jenkins team disclosed on Jan 24.

The Jenkins infrastructure team has issued a patch for a critical remote code execution vulnerability in the widely used open-source automation technology for building, testing and deploying application software.

CVE-2024-23897 is an arbitrary file read vulnerability affecting the built-in Jenkins  Command Line Interface (CLI) that allows developers and admins to manage and control Jenkins via a script or shell environment. It specifically has to do with a parser feature in the CLI that is enabled by default on Jenkins versions 2.441 and earlier and Jenkins LTS 2.426.2 and earlier.

Remote Code Execution

“This allows attackers to read arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process.,” the Jenkins team said in a Jan 24 advisory. The vulnerability is the most serious of 12 that the Jenkins team disclosed on Wednesday. It is the only flaw in that set that has a “critical” severity rating; the rest are all either of “high” or “medium” severity issues.

According to the Jenkins team, the new vulnerability CVE-2024-23897 allows an attacker with overall/read permission to read the entire contents of files. Even attackers that do not have that permission can read the first few lines—or more—in a file depending on the available CLI commands. “As of publication of this advisory, the Jenkins security team has found ways to read the first three lines of files in recent releases of Jenkins without having any plugins installed.” So far, the team has not come across any plugin that would enable an attacker without overall/read permissions to read more than the first three lines.

In some situations, CVE-2024-23897, can allow an attacker to read binary files containing cryptographic keys for various Jenkins features. In these instances, an attacker could use the cryptographic keys in remote code execution attacks via Resource Root URLs; via the “Remember me” cookie’; via cross site scripting attacks; and by bypassing protections around cross site request forgery attacks. Attackers that managed to obtain secrets in binary files can also use CVE-2024-23897 to decrypt secrets, delete items and download a Java heap dump, the Jenkins maintainers said.

Upgrade Now or Disable Access to the CLI

The team has released Jenkins versions 2.442 and LTS version 2.426.3 that addresses the vulnerability and is recommending that development teams using the technology upgraded to the new version quickly. In situations where any organization might not be able to update immediately, the Jenkins team recommends disabling access to the CLI.

“Doing so is strongly recommended to administrators unable to immediately update to Jenkins 2.442, LTS 2.426.3,” the advisory noted. “Applying this workaround does not require a Jenkins restart. For instructions, see the documentation for this workaround.”

The other vulnerabilities that the Jenkins teams disclosed on Jan 24 included CVE-2024-23898, a high-severity Cross-site WebSocket hijacking vulnerability in the CLI and CVE-2024-23899 a high-severity, arbitrary file read remote code execution vulnerability in Git server Plugin.