Open in app

Sign in

Write

Sign in

Analysis of CVE-2024–23897

Nijin K
2 min readJan 29, 2024

--

Jenkins is an automation tool written in Java which facilitate continuous integration/continuous delivery and deployment (CI/CD).

What is this vulnerability about ?
Jenkins has a built in cli to access the platform from shell Environment. Jenkins uses args4j library to pass CLI command arguments. This parser have a functionality which replace @ followed by file path with the contents of the file. An attacker targeting a Jenkins instance could use this capability to read arbitrary files from the instance. Jenkins versions 2.441 and earlier, as well as LTS 2.426.2 and earlier, do not disable this feature by default.

How can this be mitigated ?
a. If update of jenkins is possible , update Jenkins to version 2.442 or LTS 2.426.3
b. If update of Jenkins is not possible ,Until patch is applied , Restrict CLI

POC :
Here I am going to show how an attacker could get the initial lines of /etc/passwd file on the jenkins instance with this vulnerability

  1. Let http://x.x.x.x/ be the jenkins instance url
  2. Initial step is to download the jenkins-cli.jar , This can be easily downloaded from internet By following these step
    https://www.jenkins.io/doc/book/managing/cli/#downloading-the-client
  3. Once cli is downloaded run the following command

java -jar jenkins-cli.jar -s http://x.x.x.x/ -http help 1 “@/etc/passwd”

You will be getting the initial lines of /etc/passwd like what is shown in the screenshot below

Its not just arbitrary File Read , Further attacks are also possible with this vulnerability.
For Example , If the attacker is able to read the AWS key and secret using this method , attack could be further leveraged to attack the cloud resources. Many other possibilities are also specified in the advisory provided by Jenkins

Many public exploits are released by this time. Attackers are targeting Jenkins Servers on a large scale.

Patch and secure yourself immediately , before any attacker inject malicious code in your builds !!!

CVE DETAILS
https://nvd.nist.gov/vuln/detail/CVE-2024–23897

Security Advisory From Jenkins
https://www.jenkins.io/security/advisory/2024-01-24/

Jenkins
Cybersecurity
Cve
Vulnerability
Bug Bounty Tips

--

--

Nijin K

Written by Nijin K

5 Followers

Software Engineer ( QA) @ Uptycs , Passionate Cyber Security Enthusiast and Bug Bounty Hunter

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams