A security flaw in the args4j library used for parsing command arguments and options has been fixed by Jenkins. This flaw affected the Jenkins controller when processing CLI commands [3].
Description
The security flaw involved a feature called expandAtFiles [3], which replaced the “@ ” character followed by a file path in an argument with the contents of the file [3]. This feature was enabled by default in Jenkins versions 2.441 and earlier [3], as well as LTS 2.4262 and earlier [3] [5]. However, to address the vulnerability, this feature has been disabled in Jenkins 2.442 and LTS 2.4263 [1] [2] [4].
The flaw, tracked as CVE-202423897 [6], allowed remote code execution and enabled attackers to read arbitrary files on the Jenkins controller file system. It was discovered and reported by security researcher Yaniv Nizry. The vulnerability had a CVSS score of 9.8 and was due to the CLI command parser feature. Attackers with certain permissions could read entire files or the first three lines of files [1], including binary files containing cryptographic keys [1].
Jenkins has released a patch to fix the vulnerability [6]. As a temporary solution [1] [2] [4], it is recommended to turn off access to the CLI [1] [4].
Conclusion
This update comes after Jenkins addressed two severe security vulnerabilities last year [1]. It is important to take the necessary steps to mitigate the impact of this security flaw and ensure the security of the Jenkins controller. Future implications may include the need for ongoing monitoring and updates to prevent similar vulnerabilities from arising in the future.
References
[1] https://thehackernews.com/2024/01/critical-jenkins-vulnerability-exposes.html
[2] https://vulners.com/thn/THN:8168D24DB3E890711B9E7DA64245BE9D
[3] https://vulners.com/redhatcve/RH:CVE-2024-23897
[4] https://www.443news.com/2024/01/critical-jenkins-vulnerability-exposes-servers-to-rce-attacks/
[5] https://nvd.nist.gov/vuln/detail/CVE-2024-23897
[6] https://thecyberthrone.in/2024/01/25/jenkins-fixes-critical-rce-vulnerability-cve-2024-23897/
