The maintainers of the open-source steady integration/steady supply and deployment (CI/CD) automation software program Jenkins have resolved 9 security flaws, together with a essential bug that, if efficiently exploited, might lead to distant code execution (RCE).
The difficulty, assigned the CVE identifier CVE-2024-23897, has been described as an arbitrary file learn vulnerability by means of the built-in command line interface (CLI)
“Jenkins makes use of the args4j library to parse command arguments and choices on the Jenkins controller when processing CLI instructions,” the maintainers mentioned in a Wednesday advisory.
“This command parser has a function that replaces an @ character adopted by a file path in an argument with the file’s contents (expandAtFiles). This function is enabled by default and Jenkins 2.441 and earlier, LTS 2.426.2 and earlier doesn’t disable it.”
A menace actor might exploit this quirk to learn arbitrary information on the Jenkins controller file system utilizing the default character encoding of the Jenkins controller course of.
Whereas attackers with “Total/Learn” permission can learn whole information, these with out it might learn the primary three strains of the information relying on the CLI instructions.
Moreover, the shortcoming may very well be weaponized to learn binary information containing cryptographic keys, albeit with sure restrictions. Supplied the binary secrets and techniques could be extracted, Jenkins says it might open the door to numerous assaults –
- Distant code execution through Useful resource Root URLs
- Distant code execution through “Keep in mind me” cookie
- Distant code execution through saved cross-site scripting (XSS) assaults by means of construct logs
- Distant code execution through CSRF safety bypass
- Decrypt secrets and techniques saved in Jenkins
- Delete any merchandise in Jenkins
- Obtain a Java heap dump
“Whereas information containing binary information could be learn, the affected function makes an attempt to learn them as strings utilizing the controller course of’s default character encoding,” Jenkins mentioned.
“That is prone to lead to some bytes not being learn efficiently and being changed with a placeholder worth. Which bytes can or can’t be learn is dependent upon this character encoding.”
Safety researcher Yaniv Nizry has been credited with discovering and reporting the flaw, which has been fastened in Jenkins 2.442, LTS 2.426.3 by disabling the command parser function.
As a short-term workaround till the patch could be utilized, it is advisable to show off entry to the CLI.
The event comes practically a 12 months after Jenkins addressed a pair of extreme security vulnerabilities dubbed CorePlague (CVE-2023-27898 and CVE-2023-27905) that would result in code execution on focused techniques.