Analysis of CVE-2024–23897
Jenkins is an automation tool written in Java which facilitate continuous integration/continuous delivery and deployment (CI/CD).
What is this vulnerability about ?
Jenkins has a built in cli to access the platform from shell Environment. Jenkins uses args4j library to pass CLI command arguments. This parser have a functionality which replace @ followed by file path with the contents of the file. An attacker targeting a Jenkins instance could use this capability to read arbitrary files from the instance. Jenkins versions 2.441 and earlier, as well as LTS 2.426.2 and earlier, do not disable this feature by default.
How can this be mitigated ?
a. If update of jenkins is possible , update Jenkins to version 2.442 or LTS 2.426.3
b. If update of Jenkins is not possible ,Until patch is applied , Restrict CLI
POC :
Here I am going to show how an attacker could get the initial lines of /etc/passwd file on the jenkins instance with this vulnerability
- Let http://x.x.x.x/ be the jenkins instance url
- Initial step is to download the jenkins-cli.jar , This can be easily downloaded from internet By following these step
https://www.jenkins.io/doc/book/managing/cli/#downloading-the-client - Once cli is downloaded run the following command
java -jar jenkins-cli.jar -s http://x.x.x.x/ -http help 1 “@/etc/passwd”
You will be getting the initial lines of /etc/passwd like what is shown in the screenshot below
Its not just arbitrary File Read , Further attacks are also possible with this vulnerability.
For Example , If the attacker is able to read the AWS key and secret using this method , attack could be further leveraged to attack the cloud resources. Many other possibilities are also specified in the advisory provided by Jenkins
Many public exploits are released by this time. Attackers are targeting Jenkins Servers on a large scale.
Patch and secure yourself immediately , before any attacker inject malicious code in your builds !!!
CVE DETAILS
https://nvd.nist.gov/vuln/detail/CVE-2024–23897
Security Advisory From Jenkins
https://www.jenkins.io/security/advisory/2024-01-24/