A new critical vulnerability (reference number CVE-2024-23897) affecting Jenkins has been reported. CVSS 3.1 score is assigned 9.8. Note that a significant number of proofs of concept are available for free, making them highly susceptible to exploitation by threat actors. Visit the Stormshield Customer Security Lab to learn more about our protection services.
Context of CVE-2024-23897
Vulnerability CVE-2024-23897 This also affects Jenkins main branch versions 2.441 and below, and LTS (Long Term Support) branches versions 2.426.2 and below. This flaw allows an attacker to read the contents of arbitrary files. However, he has two possible situations:
- If the attacker is not authenticated, he can only read the first line of the file.
- If an attacker has access to a read-only account, they can read the entire contents of the file.
This vulnerability allows an attacker to gain access to sensitive information such as passwords, SSH keys, or in this context source code. With these in your hands, you can even take over the entire server.
Technical details of CVE-2024-23897
The root cause of this vulnerability lies in the command line mechanism integrated into Jenkins. This allows you to give the command the path of a file, and the command will use its contents as the actual parameter.
For the most technical readers, this is accomplished by using the token ‘@’. The attack can then reveal the contents of the file using a specific command knowing that its parameters will be displayed if it fails.
CVE-2024-23897: Stormshield protection
stormshield network security
SNS Firewall uses protocol inspection to detect and block exploits of CVE-2024-23897.
- http:client, 99 : Exploiting Jenkins Arbitrary File Read Vulnerability (CVE-2024-23897)
For these protections to be effective, the traffic must be decrypted.
Confidence Index of Protection Provided by Stormshield | Confidence index for no false positives |
Recommendations
As of this writing, a patch for Jenkins is already available. In this case, we highly recommend updating the product to version 2.442 for the main branch and version 2.426.3 for the LTS branch.
If you are currently unable to update your product, as a workaround you should disable the vulnerable version of the command line interface to prevent this attack.