A critical vulnerability in Jenkins' built-in command-line interface (CLI) could allow an attacker to obtain an encryption key that could be used to remotely execute arbitrary code.
Jenkins is an open-source, extensible web-based platform for continuous integration, delivery, and deployment (compilation, packaging, and deployment of software/code).
This issue, CVE-2024-23897, affects Jenkins 2.441 and earlier, as well as LTS 2.426.2 and earlier, as the command parser (args4j library) has a feature where the "@" character in the argument followed by the file path is replaced with the contents of the file.
Jenkins Security Advisory 2024-01-24 warned in its advisory: "This allows an attacker to read arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process." ”
An unauthenticated attacker can exploit this security flaw to read the first few lines of a file, while an authenticated attacker, even those with only "read-only" permissions, can view the entire contents of the file.
This flaw can be exploited to read the contents of binary files containing encryption keys that, under certain conditions, open the door to a variety of remote code execution (RCE) scenarios and allow an attacker to decrypt stored secrets, delete items in Jenkins, and download a Java heap dump of Jenkins controller processes.
According to Sonar, the code security firm that discovered the vulnerability, the root cause of the issue is the invocation of a function that "reads the file in the path after @ and expands a new parameter for each line."
An attacker only needs to find "a command that accepts any number of parameters and displays those parameters to the user" and then exploits the vulnerability to access the contents of a file populated with parameters.
Sonar said that by exploiting the vulnerability, an attacker could read SSH keys, passwords, project secrets and credentials, source code, build artifacts, and other information.
Jenkins 2.442 and LTS 2.426.3 addressed the vulnerability by disabling the command parser feature. If you are unable to update to the latest version, it is recommended that administrators disable access to the Jenkins CLI, which prevents exploitation altogether, but only as a temporary workaround.
The latest Jenkins release also addresses two high-severity bugs, including a Cross-Site WebSocket Hijacking (CSWSH) error that causes CLI command execution and reading arbitrary files in the Git server plugin, with a similar impact to CVE-2024 - 23897, but requiring authentication to exploit.
Jenkins also announced patches for multiple low-to-medium severity vulnerabilities in open-source automation servers, as well as fixes for multiple high-severity vulnerabilities in various plugins, but warned that CVE-2024-23904 is a log command plugin flaw, similar to CVE-2024-23897, which remains unpatched.
#International Cyber Security Hot Information##Comment Area Idea Contest##Seeing the World##Sending Blessings in the Comment Area##Cybersecurity##Security Vulnerability##Comment Area##0day##黑客#