Security alert Jenkins CVE-2023-23897: Stormshield Products Response

Published on: 31 01 2024

Author: Stormshield Customer Security Lab

2 minutes

A new critical vulnerability impacting Jenkins, identified by the reference CVE-2024-23897, has been reported. It has been assigned a CVSS 3.1 score of 9.8. It should be noted that an important number of proofs of concepts are freely available, enabling a huge potential of exploitation by threat actors. The Stormshield Customer Security Lab details our protection offerings.

 

The context of CVE-2024-23897

The vulnerability CVE-2024-23897 impact the version 2.441 and lower of the main branch of Jenkins, and also the version 2.426.2 and lower of the LTS (Long Term Support) branch. This flaw allows an attacked to read the content of arbitrary files. However, 2 situations are possible:

  • If the attacker is not authenticated, he can only read the first lines of a file;
  • If the attacker has access to a read-only account, he can read the whole content of a file.

This vulnerability then allows an attacker to access sensitive information like passwords, SSH keys or, in this context, source code. With these in hands, he could even take over the whole server.

 

Technical details of CVE-2024-23897

The root-cause of this vulnerability lies in the command line mechanism integrated in Jenkins. Through it, it is then possible to give to a command the path of a file and this command will use its content as actual parameters.

For the most technical readers, this is achieved by using the token ‘@’. The attack can then use a specific command that he knows will display its parameters in case it fails and thus, unveils the content of the file.

 

CVE-2024-23897: Stormshield protections

Stormshield Network Security

SNS firewalls detect and block exploitation of CVE-2024-23897 with the protocol inspection:

  • http:client,99 : Exploitation of a arbitrary file read vulnerability in Jenkins (CVE-2024-23897)

For these protections to be efficient, the traffic must be decrypted.

Confidence index for the protection offered by Stormshield

Confidence index for the absence of false positives

Recommandations

At the time of writing, a patch of Jenkins is already available. It is then highly recommended to update the product in version 2.442 for the main branch and in version 2.426.3 for the LTS branch.

If you are unable to update the product now, the workaround requires to disable the command line interface on the vulnerable version in order to prevent this attack.

Tags :

Share on

[juiz_sps buttons="facebook, twitter, linkedin, mail"]
Need more information about Stormshield protection? The Technical Support teams are at your disposal to help you. Contact them through the incident manager located in the MyStormshield private area. To access it, select the menu "Technical Support / Report an incident / Track an incident".
Stormshield's Cyber Threat Intelligence team has two primary missions: to study cyber threats to understand them and to continuously improve Stormshield product protections. All with the goal of contributing to the cybersecurity community's effort to address cyber threats.
About the author
mm
Stormshield Customer Security Lab
Last articles

See all articles from Alert

Read more