Critical vulnerability (CVE-2024-23897, CVSS 9.8) in Jenkins’ Command Line Interface poses a severe risk of remote code execution.


Jenkins, an automation server widely used in the open-source community, has recently revealed a critical vulnerability that poses a significant risk to its users. This vulnerability, known as CVE-2024-23897 and with a CVSS score of 9.8, revolves around Jenkins’ built-in Command Line Interface (CLI), which creates a potential avenue for remote code execution (RCE).

CVE-2024-23897:

The vulnerability stems from Jenkins’ reliance on the args4j library for parsing command arguments and options on the Jenkins controller during the processing of CLI commands. This seemingly harmless feature, intended to enhance functionality by replacing an “@” character followed by a file path in an argument with the contents of the file, has inadvertently opened the door to malicious exploitation.

The Implications of the Vulnerability:

This vulnerability is enabled by default and remains unchecked in Jenkins versions up to 2.441 and LTS 2.426.2. It allows unauthenticated attackers to read arbitrary files on the Jenkins controller file system. The Jenkins security team has classified this as a critical flaw, emphasizing its ease of exploitation and the potential for a complete compromise of system confidentiality, integrity, and availability.

The implications of this vulnerability are significant. Attackers with Overall/Read permissions can access the entire contents of files, while those without such permissions are limited to viewing only the initial segments of files, depending on the available CLI commands. The severity of the issue is further highlighted by the fact that the security team discovered methods to read the first three lines of files even without any installed plugins.

In addition to the file read capability, this vulnerability also presents a threat of remote code execution. Attack vectors include exploiting the “Resource Root URL” functionality and creating a “Remember me” cookie that impersonates an administrator account. Each variant of the attack requires specific conditions, ranging from accessible CLI WebSocket endpoints to the retrieval of binary secrets.

Jenkins’ Response and Recommended Actions:

In light of this critical security threat, Jenkins has expeditiously released patches in versions 2.442 and LTS 2.426.3. These patches effectively disable the command parser feature that facilitated the vulnerability. It is imperative that administrators promptly apply these updates to mitigate the associated risk.

Should any complications arise from the fix, administrators have the option to enable the change by configuring the Java system property hudson.cli.CLICommand.allowAtSyntax to true. However, it is strongly advised against taking this action on any network accessible to non-Jenkins administrators.

For those unable to immediately upgrade, a recommended interim measure is to completely disable CLI access. This temporary workaround does not necessitate a Jenkins restart and provides a mitigation until a comprehensive update can be implemented.

Conclusion:

The Jenkins CLI File Read Vulnerability Leading to RCE (CVE-2024-23897) presents a significant risk to the security and integrity of Jenkins instances. Given the potential for arbitrary file reads and remote code execution, the urgency of applying the provided patches cannot be overstated. System administrators and DevOps teams are strongly urged to prioritize the patching process to safeguard their Jenkins environments against potential exploitation.