The maintainers of the open-source continuous integration/continuous delivery and deployment (CI/CD) automation software Jenkins have resolved nine security flaws, including a critical bug that, if successfully exploited, could result in remote code execution (RCE).
The issue, assigned the CVE identifier CVE-2024-23897, has been described as an arbitrary file read vulnerability through the built-in command line interface (CLI).
“This command parser has a feature that replaces an @ character followed by a file path in an argument with the file’s contents (expandAtFiles). This feature is enabled by default and Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable it.”
Additionally, the shortcoming could be weaponized to read binary files containing cryptographic keys, albeit with certain restrictions. Provided the binary secrets can be extracted, Jenkins says it could open the door to various attacks –
- Remote code execution via Resource Root URLs
- Remote code execution via “Remember me” cookie
- Remote code execution via stored cross-site scripting (XSS) attacks through build logs
- Remote code execution via CSRF protection bypass
- Decrypt secrets stored in Jenkins
- Delete any item in Jenkins
- Download a Java heap dump
Security researcher Yaniv Nizry has been credited with discovering and reporting the flaw, which has been fixed in Jenkins 2.442, LTS 2.426.3 by disabling the command parser feature.
As a short-term workaround until the patch can be applied, it’s recommended to turn off access to the CLI.
The development comes nearly a year after Jenkins addressed a pair of severe security vulnerabilities dubbed CorePlague (CVE-2023-27898 and CVE-2023-27905) that could lead to code execution on targeted systems.
Source: https://thehackernews.com/