CVE-2024-23897 (CVSS 9.8): Critical Jenkins Security Vulnerability, RCE Possible

by do son · Published January 24, 2024 · Updated January 26, 2024

Jenkins – a popular open-source automation server software – published an advisory on Wednesday concerning a critical vulnerability that could result in remote code execution.

Tracked as CVE-2024-23897, a critical vulnerability within Jenkins’ built-in command line interface (CLI), has sent ripples of concern across the IT landscape. This vulnerability, with a CVSS score of 9.8, opens the door to arbitrary file reads through the CLI, potentially culminating in remote code execution (RCE).

At the heart of this vulnerability lies Jenkins’ reliance on the args4j library for parsing command arguments and options on the Jenkins controller when processing CLI commands. A seemingly benign feature, designed to enhance utility by replacing an “@” character followed by a file path in an argument with the file’s contents, has become a Pandora’s box. Enabled by default and unchecked in versions up to 2.441 and LTS 2.426.2, “this allows attackers to read arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process.”

Attackers possessing Overall/Read permissions can access entire file contents. Conversely, those lacking such permissions are limited to viewing only the initial segments of files, with the extent of access being determined by the commands available through the command-line interface. At the time of issuing this advisory, the Jenkins security team discovered methods enabling the reading of the first three lines of files in the latest Jenkins versions, even in the absence of any installed plugins. Furthermore, no plugins have been identified that would extend the number of lines accessible.

CVE-2024-23897 is also a remote code execution threat. From exploiting the “Resource Root URL” functionality to crafting a “Remember me” cookie that impersonates an administrator account, the avenues for exploitation are as varied as they are perilous. Each variant of the attack demands a unique set of conditions, from accessible CLI WebSocket endpoints to the retrieval of binary secrets.

In response to this threat, Jenkins has introduced a patch in versions 2.442 LTS and 2.426.3, disabling the command parser feature that facilitated this vulnerability.

“In case of problems with this fix, disable this change by setting the Java system property hudson.cli.CLICommand.allowAtSyntax to true. Doing this is strongly discouraged on any network accessible by users who are not Jenkins administrators,” reads the security advisory.

Administrators seeking immediate relief but unable to upgrade may migrate this flaw by disabling CLI access altogether—a recommended interim measure that does not require a Jenkins restart.

Update:

On January 25, the technical details and proof-of-concept (PoC) code targeting a critical CVE-2024-23897 vulnerability in Jenkins was published.