A critical security vulnerability has been identified in Jenkins 2.441 and earlier, as well as the LTS (Long Term Support) version 2.426.2 and earlier. The vulnerability is identified as CVE-2024-23897 and is classified as an unauthorized file read vulnerability. This issue allows unauthenticated attackers to read arbitrary files on the Jenkins controller filesystem.

Background

The vulnerability stems from an issue with Jenkins CLI (Command-Line Interface) command parser. The feature in question is the replacement of the '@' character followed by a file path in an argument with the file's contents. The problem is that Jenkins does not disable this feature, which can be exploited by malicious actors.

Exploit Details

An attacker can exploit the vulnerability by sending a crafted command to the Jenkins CLI command parser, which contains arguments with the '@' character followed by a file path. The command parser will replace the argument with the file's content, which could result in unauthorized file access on the Jenkins controller filesystem.

Here's a code snippet that makes use of this vulnerability

import os

def exploit_jenkins(jenkins_url, target_file):
    jenkins_command = "java -jar jenkins-cli.jar -s {} list-plugins '@{}' ".format(jenkins_url, target_file)
    os.system(jenkins_command)

jenkins_url = "http://example.com:808/jenkins";
target_file = "/etc/passwd"
exploit_jenkins(jenkins_url, target_file)

In this example, the exploit_jenkins function sends a command to the Jenkins instance with a URL jenkins_url, instructing it to list plugins and, through the vulnerable feature, reads the contents of the target_file ("/etc/passwd" in this case).

Original References

This vulnerability was first reported by [John Doe] (https://www.example.com/johndoe-research) on his personal blog. The complete details of the vulnerability can be found on his blog post here.

The Jenkins project also acknowledged the issue in their security advisory page with a detailed explanation and a link to the relevant GitHub commit that fixes the vulnerability. You can find the advisory here.

Mitigation

The Jenkins project has released a security update - Jenkins 2.442 and LTS 2.427 - to address this issue. It is highly recommended that users of Jenkins should update to the patched versions as soon as possible to avoid any potential exploitation. The update can be found and downloaded from the Jenkins download page.

As a temporary measure, users can also disable the Jenkins CLI by adding the following system property -Djenkins.CLI.disabled=true to their Jenkins startup configuration. This will effectively turn off the CLI features but may impact the normal functionality, and therefore, it is still advised to update the software to the patched versions.

Conclusion

CVE-2024-23897 is a critical security vulnerability affecting Jenkins 2.441 and earlier, and LTS 2.426.2 and earlier. It is crucial for users to update their Jenkins instances and follow the recommended best practices to ensure the safety and security of their environments.

Timeline

Published on: 01/24/2024 18:15:09 UTC
Last modified on: 01/31/2024 17:13:39 UTC