Pierluigi Paganini January 26, 2024

Jenkins maintainers addressed several security vulnerabilities, including a critical remote code execution (RCE) flaw.

Jenkins is the most popular open source automation server, it is maintained by CloudBees and the Jenkins community. The automation server supports developers build, test and deploy their applications, it has hundreds of thousands of active installations worldwide with more than 1 million users.

The maintainers of the open-source platform have addressed nine security vulnerabilities, including a critical flaw, tracked as CVE-2024-23897, that could lead to remote code execution (RCE). The vulnerability was reported by the researcher Yaniv Nizry from Sonar who wrote a detailed analysis of the issue.

Jenkins has a built-in command line interface (CLI) to access the platform from a script or shell environment. The open-source software uses the args4j library to parse CLI command arguments and options on the Jenkins controller. The parser uses a functionality that replaces the ‘@’ character followed by a file path in an argument with the content of the file (‘expandAtFiles’). This feature is enabled by default and Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable it.

An attacker can abuse the default character encoding of the Jenkins controller process to read arbitrary files on the controller file system.

An attacker with “Overall/Read” permission can read entire files, while an attacker without it can read the first three lines of the files depending on the CLI commands.

Below are some notes from the advisory:

• Attackers with Overall/Read permission can read entire files.
• Attackers without Overall/Read permission can read the first few lines of files. The number of lines that can be read depends on available CLI commands. As of publication of this advisory, the Jenkins security team has found ways to read the first three lines of files in recent releases of Jenkins without having any plugins installed, and has not identified any plugins that would increase this line count.

The maintainers pointed out that exploiting this flaw makes it possible to read binary files containing cryptographic keys used for various Jenkins features, even with some limitations.

Once the attacker has obtained the binary secrets it can conduct multiple attacks, including Remote code execution via Resource Root URLs, Remote code execution via “Remember me” cookie, Remote code execution via stored cross-site scripting (XSS) attacks through build logs, Remote code execution via CSRF protection bypass, Decrypt secrets stored in Jenkins, Delete any item in Jenkins, Download a Java heap dump.

The issue has been addressed in versions 2.442, LTS 2.426.3 by disabling the command parser feature.

The advisory also recommends to turn off access to the CLI as a workaround.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, RCE)