CVE-2024-23897: Critical Vulnerability in Jenkins Command Line Interface Access

It allows malicious actors to read arbitrary files, such as cryptographic keys, using the Command Line Interface (CLI) to access Jenkins from a script or shell environment. The vulnerability has been assessed with a critical risk rating (CVSS 9.8).

The issue lies in the handling of Jenkins command line, which utilizes the args4j library with a built-in function that replaces the @ symbol followed by a file path with the file’s contents. In Jenkins version 2.441 and earlier, as well as LTS version 2.426.2 and earlier, this function is enabled by default and cannot be disabled.

According to Jenkins, thу vulnerability is critical and could lead to Remote Code Execution (RCE). But using the Intruforce service, such vulnerabilities can be identified and eliminated before hackers exploit them.

Solution:
The only correct way to mitigate this threat is to update Jenkins to version 2.442 or LTS 2.426.3. In these versions, the vulnerability-causing function has been disabled.

Technical Details:
Critical vulnerability.
CVSS 9.8 CVSS:3.1 / AV:N / AC:L / PR:N / UI:N / S:U / C:H / I:H / A:H

Link to the Jenkins Security Advisory for vulnerability description

CVE-2024-23897: Critical Vulnerability in Jenkins Command Line Interface Access

Relevant blog posts

American corporation MITRE was attacked through zero-day vulnerabilities

CVE-2024-21413: Critical MonikerLink Bug Vulnerability Allows for Remote Code Execution in Microsoft Outlook

CVE-2024-21591: Critical Junos OS Vulnerability Can Lead to Unauthenticated Remote Code Execution