The maintainers of the open-source steady integration/steady supply and deployment (CI/CD) automation software program Jenkins have resolved 9 safety flaws, together with a vital bug that, if efficiently exploited, may lead to distant code execution (RCE).
The problem, assigned the CVE identifier CVE-2024-23897, has been described as an arbitrary file learn vulnerability via the built-in command line interface (CLI)
“Jenkins makes use of the args4j library to parse command arguments and choices on the Jenkins controller when processing CLI instructions,” the maintainers mentioned in a Wednesday advisory.
“This command parser has a function that replaces an @ character adopted by a file path in an argument with the file’s contents (expandAtFiles). This function is enabled by default and Jenkins 2.441 and earlier, LTS 2.426.2 and earlier doesn’t disable it.”
A menace actor may exploit this quirk to learn arbitrary recordsdata on the Jenkins controller file system utilizing the default character encoding of the Jenkins controller course of.
Whereas attackers with “Total/Learn” permission can learn total recordsdata, these with out it might probably learn the primary three strains of the recordsdata relying on the CLI instructions.
Moreover, the shortcoming may very well be weaponized to learn binary recordsdata containing cryptographic keys, albeit with sure restrictions. Supplied the binary secrets and techniques will be extracted, Jenkins says it may open the door to numerous assaults –
- Distant code execution through Useful resource Root URLs
- Distant code execution through “Bear in mind me” cookie
- Distant code execution through saved cross-site scripting (XSS) assaults via construct logs
- Distant code execution through CSRF safety bypass
- Decrypt secrets and techniques saved in Jenkins
- Delete any merchandise in Jenkins
- Obtain a Java heap dump
“Whereas recordsdata containing binary information will be learn, the affected function makes an attempt to learn them as strings utilizing the controller course of’s default character encoding,” Jenkins mentioned.
“That is prone to lead to some bytes not being learn efficiently and being changed with a placeholder worth. Which bytes can or can’t be learn is determined by this character encoding.”
Safety researcher Yaniv Nizry has been credited with discovering and reporting the flaw, which has been fastened in Jenkins 2.442, LTS 2.426.3 by disabling the command parser function.
As a short-term workaround till the patch will be utilized, it is really helpful to show off entry to the CLI.
The event comes almost a 12 months after Jenkins addressed a pair of extreme safety vulnerabilities dubbed CorePlague (CVE-2023-27898 and CVE-2023-27905) that would result in code execution on focused techniques.