The maintainers of the open up-source continual integration/ongoing shipping and deployment (CI/CD) automation computer software Jenkins have fixed 9 security flaws, like a critical bug that, if productively exploited, could final result in distant code execution (RCE).
The issue, assigned the CVE identifier CVE-2024-23897, has been explained as an arbitrary file study vulnerability via the constructed-in command line interface (CLI)
“Jenkins works by using the args4j library to parse command arguments and options on the Jenkins controller when processing CLI instructions,” the maintainers said in a Wednesday advisory.
“This command parser has a element that replaces an @ character adopted by a file route in an argument with the file’s contents (expandAtFiles). This attribute is enabled by default and Jenkins 2.441 and earlier, LTS 2.426.2 and before does not disable it.”
A threat actor could exploit this quirk to read through arbitrary documents on the Jenkins controller file process employing the default character encoding of the Jenkins controller procedure.
When attackers with “Overall/Go through” permission can study whole documents, all those without it can browse the 1st three lines of the documents based on the CLI commands.
Furthermore, the shortcoming could be weaponized to examine binary data files containing cryptographic keys, albeit with specific constraints. Offered the binary secrets and techniques can be extracted, Jenkins suggests it could open the doorway to different attacks –
- Remote code execution by way of Useful resource Root URLs
- Distant code execution via “Try to remember me” cookie
- Remote code execution via stored cross-web-site scripting (XSS) attacks by create logs
- Distant code execution by using CSRF security bypass
- Decrypt secrets and techniques stored in Jenkins
- Delete any item in Jenkins
- Down load a Java heap dump
“Though documents containing binary data can be read through, the influenced characteristic attempts to go through them as strings utilizing the controller process’s default character encoding,” Jenkins explained.
“This is probably to result in some bytes not staying examine successfully and getting replaced with a placeholder price. Which bytes can or simply cannot be study depends on this character encoding.”
Security researcher Yaniv Nizry has been credited with discovering and reporting the flaw, which has been set in Jenkins 2.442, LTS 2.426.3 by disabling the command parser function.
As a short-expression workaround till the patch can be used, it truly is encouraged to transform off obtain to the CLI.
The enhancement will come practically a yr right after Jenkins resolved a pair of significant security vulnerabilities dubbed CorePlague (CVE-2023-27898 and CVE-2023-27905) that could guide to code execution on specific devices.
Located this short article fascinating? Observe us on Twitter and LinkedIn to browse extra unique material we publish.
Some elements of this post are sourced from: