Arbitrary File Read Vulnerability in Jenkins CLI Command Parser
Key Information
- Vendor
- Jenkins
- Status
- Jenkins
- Vendor
- CVE Published:
- 24 January 2024
Badges
Summary
There is an arbitrary file read vulnerability in Jenkins 2.441 and earlier, LTS 2.426.2 and earlier, which can potentially lead to remote code execution. This vulnerability is considered critical, with a CVSS score of 9.8 out of 10. The issue allows unauthenticated attackers to read arbitrary files on the Jenkins controller file system. The impact includes total compromise of system confidentiality, integrity, and availability. The fix for this vulnerability is to disable the args4j feature that allows file contents to be substituted in CLI arguments in Jenkins 2.442 and LTS 2.426.3. Other security issues including RCE flaws have been patched as well, and organizations are advised to upgrade Jenkins installations to the latest versions as soon as possible. Threat actors frequently target vulnerabilities in Jenkins and related software, and many of the flaws addressed in this release could be exploited to breach Jenkins controllers. Overall, this is a substantial security release that addresses over a dozen vulnerabilities with varying levels of severity, and organizations should prioritize applying these urgent updates to prevent their Jenkins controller from being fully compromised by remote attackers.
CISA Reported
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2024-23897 as being exploited and is known by the CISA as enabling ransomware campaigns.
The CISA's recommendation is: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Affected Version(s)
Jenkins <= 0
Jenkins >= 1.606
Jenkins >= 2.442
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
Critical Jenkins vulnerability added to CISA’s known vulnerabilities catalog
The RCE vulnerability was leveraged in ransomware attacks targeting Indian banks.
1 month ago
GBHackers CVE-2024-23898CVE-2024-23897Exploit Released for Critical Jenkins RCE Flaw
Jenkins has been discovered with a critical vulnerability that is associated with arbitrary code execution that threat actors can exploit for malicious purposes.
3 months ago
Vulnerabilities, Vulnerabilities Everywhere – PSW #840
This week: YAVD: Yet Another Vulnerable Driver, why bring your own when one already exists, backdoors in MIFARE Classic, wireless hacking tips, AMD sinkclose vulnerability will keep running, you down with SLDP yea you know me, Phrack!, IoTGoats, Pixel vulnerabilities, leaking variables, a DEF CON ta...
3 months ago
EPSS Score
96% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 👾
Exploit exists.
- 🔥
Vulnerability reached the number 1 worldwide trending spot.
Vulnerability started trending.
First article discovered by Penetration Testing
Vulnerability published.
Vulnerability Reserved.