Jenkins Arbitrary File Read Vulnerability (CVE-2024-23897)

Jan 29, 2024 GMT+08:00

I. Overview

Recently, Jenkins has released a security advisory disclosing an arbitrary file read vulnerability (CVE-2024-23897) in some Jenkins versions. Jenkins has a built-in command line interface (CLI) to access Jenkins from a script or shell environment. Jenkins uses the args4j library to parse CLI command arguments. This has a vulnerability that allows attackers to read arbitrary files on the Jenkins controller file system and use some Jenkins functions to execute arbitrary code. The POC of this vulnerability has been disclosed and the risk is high.

Additionally, a command-line cross-site WebSocket hijacking (CSWSH) vulnerability (CVE-2024-23898) is fixed in the latest official Jenkins version. The affected Jenkins versions do not perform origin validation of requests made through the CLI WebSocket endpoint. Attackers can exploit this vulnerability to execute CLI commands on the Jenkins controller.

Jenkins is an open-source continuous integration (CI) tool that provides a user-friendly operation interface. If you are a Jenkins user, check your Jenkins versions and implement timely security hardening.

Reference:

https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314

https://www.openwall.com/lists/oss-security/2024/01/24/6

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

CVE-2024-23897:

Jenkins <= 2.441

Jenkins LTS <= 2.426.2

CVE-2024-23898:

2.217 >= Jenkins <= 2.441

2.222.1 >= Jenkins LTS <= 2.426.2

Secure versions:

Jenkins 2.442

Jenkins LTS 2.426.3

IV. Vulnerability Handling

This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the secure version.

https://www.jenkins.io/download/

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.