Arbitrary File Read Vulnerability in Jenkins CLI Command Parser

CVE-2024-23897

9.8CRITICAL

Key Information

Vendor: Jenkins
Status: Jenkins
Vendor: CVE Published:; 24 January 2024

Badges

🔥 No. 1 Trending😄 Trended👾 Exploit Exists🔴 Public PoC🟣 EPSS 97%📰 News Worthy

What is CVE-2024-23897?

CVE-2024-23897 is a serious vulnerability found in the Jenkins automation server, specifically affecting versions 2.441 and earlier and LTS 2.426.2 and earlier. Jenkins is a widely used open-source platform that facilitates continuous integration and delivery, helping organizations to automate their software development processes. This vulnerability allows unauthenticated attackers to exploit a flaw in the CLI command parser, which fails to sanitize input appropriately. As a result, attackers can manipulate commands to read arbitrary files on the Jenkins controller's file system, which could lead to unauthorized access to sensitive information and potential further exploitation within an organization.

Technical Details

The vulnerability exists due to the Jenkins CLI command parser's inability to disable a feature that unwittingly allows the inclusion of file content as command parameters. When an '@' character followed by a file path is inputted, the parser replaces the command with the actual contents of the specified file on the server. This misconfiguration presents a vector for unauthorized file access, enabling attackers to read files that they should not have access to, including configuration files, secrets, and other sensitive data that could jeopardize the integrity and confidentiality of the system.

Impact of the Vulnerability

Unauthorized Access to Sensitive Information: Attackers can potentially retrieve sensitive files, such as configuration settings, credentials, and other critical data, leading to data leaks and significant security risks.
Potential for Escalated Attacks: By accessing sensitive information, attackers may gain insights into the operational structure of the organization, allowing them to launch further attacks or compromise additional systems.
Reputational Damage: Exploitation of this vulnerability could result in data breaches that harm the organization's reputation, eroding customer trust and leading to potential financial losses due to regulatory fines and remediation efforts.

CISA Reported

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2024-23897 as being exploited and is known by the CISA as enabling ransomware campaigns.

The CISA's recommendation is: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Affected Version(s)

Jenkins <= 0

Jenkins >= 1.606

Jenkins >= 2.442

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-23897
Created by wjlin0

CVE-2024-23897
Created by kaanatmacaa

CVE-2024-23897
Created by Vozec

News Articles

SC Media

CVE-2024-23897

Critical Jenkins vulnerability added to CISA’s known vulnerabilities catalog

The RCE vulnerability was leveraged in ransomware attacks targeting Indian banks.

2 months ago

GBHackers

CVE-2024-23898 CVE-2024-23897

Exploit Released for Critical Jenkins RCE Flaw

Jenkins has been discovered with a critical vulnerability that is associated with arbitrary code execution that threat actors can exploit for malicious purposes.

4 months ago

SC Media

CVE-2024-23897

Vulnerabilities, Vulnerabilities Everywhere – PSW #840

This week: YAVD: Yet Another Vulnerable Driver, why bring your own when one already exists, backdoors in MIFARE Classic, wireless hacking tips, AMD sinkclose vulnerability will keep running, you down with SLDP yea you know me, Phrack!, IoTGoats, Pixel vulnerabilities, leaking variables, a DEF CON ta...

4 months ago