Security researchers have issued a warning regarding the disclosure of proof-of-concept (PoC) exploits targeting a critical vulnerability, CVE-2024-23897, recently identified in the widely-used Jenkins automation server. Maintained by CloudBees and the Jenkins community, Jenkins supports developers in building, testing, and deploying applications, boasting hundreds of thousands of installations worldwide and over a million users. The platform’s maintainers have addressed nine security vulnerabilities, with CVE-2024-23897 posing a significant risk of remote code execution (RCE). Researchers, including Yaniv Nizry from Sonar, have highlighted the vulnerability’s exploitation potential, particularly through the abuse of the default character encoding to read arbitrary files on the Jenkins controller file system.
The critical flaw stems from the platform’s use of the args4j library to parse command line interface (CLI) command arguments, where a default feature (‘expandAtFiles’) replaces the ‘@’ character followed by a file path in an argument with the file’s content. This feature, enabled by default in Jenkins versions 2.441 and earlier, LTS 2.426.2 and earlier, allows attackers to manipulate the character encoding to read files on the controller file system. Depending on the attacker’s permissions, entire files or the first three lines can be accessed, raising concerns about potential exposure of cryptographic keys used in various Jenkins features. Security researcher Florian Roth warns of weaponized PoC exploits circulating, while German Fernandez notes a substantial vulnerability exploitation, identifying over 75,000 internet-facing instances through Shodan queries.
As PoC exploits become public, the threat landscape intensifies, with the availability of these exploits expected to attract multiple threat actors seeking to exploit the vulnerability in attacks. The emergence of these exploits further underscores the urgency for Jenkins users to update their systems promptly, implement security measures, and stay vigilant against potential cyber threats exploiting this critical flaw.
References:
- Jenkins Security Advisory 2024-01-24
- This vulnerability in Jenkins is serious CVE-2024-23897. POCs have been published
- Critical CVE-2024-23897 in Jenkins allows unauthenticated attackers to partially leak files and authenticated attackers to leak entire files
- CVE-2024-23897: Unauthenticated Arbitrary File Read vulnerability could lead to RCE on Jenkins servers.
