Numerous proof-of-concept (PoC) exploits have been disclosed for the Critical Jenkins RCE flaw (CVE-2024-23897), which has recently been patched. There are indications that this vulnerability is being actively exploited.
About Critical Jenkins RCE flaw CVE-2024-23897
Jenkins is a popular Java-based open-source automation server that facilitates application development, testing, and deployment. It supports continuous integration (CI) and continuous delivery (CD) processes.
The Critical Jenkins RCE flaw CVE-2024-23897 refers to an arbitrary file read vulnerability in Jenkins’ built-in command line interface (CLI). Exploiting this vulnerability could allow unauthorized individuals with Overall/Read permission to access arbitrary files on the Jenkins controller file system. Even those without Overall/Read permission can still view the initial lines of files.
“This vulnerability stems from the use of the args4j library for parsing command arguments and options on the Jenkins controller,”
said Maxime Paillé, from Québec Ministry of Cybersecurity and Digital Technology.
Additionally, exploiting the critical flaw in Jenkins could allow unauthorized access to binary files that contain cryptographic keys used for various Jenkins features, albeit with certain limitations. This access to sensitive information poses several potential risks, including:
- Remote code execution via stored cross-site scripting (XSS) attacks through build logs.
- Decryption of secrets stored in Jenkins.
- Remote code execution via Resource Root URLs.
- Remote code execution via the “Remember me” cookie.
- Deletion of any item in Jenkins.
- Remote code execution via CSRF protection bypass.
- Java heap dump download.
In addition, another critical flaw in Jenkins, CVE-2024-23898, was revealed, which is classified as a high-severity cross-site WebSocket hijacking vulnerability. Exploiting this vulnerability could enable a threat actor to execute arbitrary command-line interface (CLI) commands by deceiving a victim into clicking on a malicious link.
Both vulnerabilities, CVE-2024-23897 and CVE-2024-23898, have been reported and detailed by the Vulnerability Research Team at SonarSource.
PoC Exploits for Critical Jenkins Vulnerability Are Now Publicly Available
Public proof-of-concept (PoC) exploits have been released for CVE-2024-23897. These exploits pose a risk to unpatched Jenkins servers as they can be utilized by attackers to compromise the system.
Furthermore, there have been reports of active exploitation of this vulnerability in real-world scenarios.
It is crucial for Jenkins users to promptly update their systems to the fixed versions, Jenkins 2.442 and LTS 2.426.3. Applying the patches is strongly advised. Additionally, there are workarounds available to mitigate the risks associated with these vulnerabilities.
