It allows malicious actors to read arbitrary files, such as cryptographic keys, using the Command Line Interface (CLI) to access Jenkins from a script or shell environment. The vulnerability has been assessed with a critical risk rating (CVSS 9.8).
The issue lies in the handling of Jenkins command line, which utilizes the args4j library with a built-in function that replaces the @ symbol followed by a file path with the file’s contents. In Jenkins version 2.441 and earlier, as well as LTS version 2.426.2 and earlier, this function is enabled by default and cannot be disabled.
According to Jenkins, thу vulnerability is critical and could lead to Remote Code Execution (RCE). But using the Intruforce service, such vulnerabilities can be identified and eliminated before hackers exploit them.
Solution:
The only correct way to mitigate this threat is to update Jenkins to version 2.442 or LTS 2.426.3. In these versions, the vulnerability-causing function has been disabled.
Technical Details:
Critical vulnerability.
CVSS 9.8 CVSS:3.1 / AV:N / AC:L / PR:N / UI:N / S:U / C:H / I:H / A:H
Link to the Jenkins Security Advisory for vulnerability description