A new critical vulnerability impacting Jenkins, identified by the reference CVE-2024-23897, has been reported. It has been assigned a CVSS 3.1 score of 9.8. It should be noted that an important number of proofs of concepts are freely available, enabling a huge potential of exploitation by threat actors. The Stormshield Customer Security Lab details our protection offerings.
The context of CVE-2024-23897
The vulnerability CVE-2024-23897 impact the version 2.441 and lower of the main branch of Jenkins, and also the version 2.426.2 and lower of the LTS (Long Term Support) branch. This flaw allows an attacked to read the content of arbitrary files. However, 2 situations are possible:
- If the attacker is not authenticated, he can only read the first lines of a file;
- If the attacker has access to a read-only account, he can read the whole content of a file.
This vulnerability then allows an attacker to access sensitive information like passwords, SSH keys or, in this context, source code. With these in hands, he could even take over the whole server.
Technical details of CVE-2024-23897
The root-cause of this vulnerability lies in the command line mechanism integrated in Jenkins. Through it, it is then possible to give to a command the path of a file and this command will use its content as actual parameters.
For the most technical readers, this is achieved by using the token ‘@’. The attack can then use a specific command that he knows will display its parameters in case it fails and thus, unveils the content of the file.
CVE-2024-23897: Stormshield protections
Stormshield Network Security
SNS firewalls detect and block exploitation of CVE-2024-23897 with the protocol inspection:
- http:client,99 : Exploitation of a arbitrary file read vulnerability in Jenkins (CVE-2024-23897)
For these protections to be efficient, the traffic must be decrypted.
Confidence index for the protection offered by Stormshield
Confidence index for the absence of false positives
At the time of writing, a patch of Jenkins is already available. It is then highly recommended to update the product in version 2.442 for the main branch and in version 2.426.3 for the LTS branch.
If you are unable to update the product now, the workaround requires to disable the command line interface on the vulnerable version in order to prevent this attack.