The Jenkins open-source software has fixed nine security flaws, including a critical bug that could lead to remote code execution (RCE) if exploited successfully. The vulnerability CVE-2024-23897 is an arbitrary file read vulnerability through the built-in command line interface (CLI).
The maintainers explained, “Jenkin uses the args4j library to parse command arguments and options on the Jenkins controller when processing CLI commands. This command parser has a feature that replaces an @ character followed by a file path in an argument with the file’s contents (expandAtFiles).” This feature was enabled by default in Jenkins 2.441 and earlier, LTS 2.426.2 and earlier.
This bug could be exploited to read arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process. If attackers with “Overall/Read” permission can read entire files, those without it can read the first three lines of the files depending on the CLI commands.
The affected feature attempts to read binary files as strings using the controller process’s default character encoding, possibly resulting in some bytes not being read successfully and being replaced with a placeholder value.
Security researcher Yaniv Nizry has been credited with discovering and reporting the flaw, which has been fixed in Jenkins 2.442, LTS 2.426.3 by disabling the command parser feature. As a workaround, it’s recommended to turn off access to the CLI until the patch can be applied.
It should be noted that this development comes nearly a year after Jenkins addressed a pair of severe security vulnerabilities dubbed CorePlague (CVE-2023-27898 and CVE-2023-27905).