Updating to the latest Jenkins versions has become imperative, as proof-of-concept (PoC) exploit code targeting a critical vulnerability patched last week is now publicly available.
Tracked as CVE-2024-23897 and affecting Jenkins versions before 2.442 and LTS 2.426.3, the security defect exists because the open source automation server’s command parser has a feature that replaces an ‘@’ character followed by a file path in an argument with the file’s contents.
The flaw allows unauthenticated attackers to read the first few lines of arbitrary files on the Jenkins controller file system and enables authenticated attackers to read the full contents of files.
Last week, Jenkins warned that attackers could exploit the vulnerability to read cryptographic keys stored within binary files and that, under certain conditions, these keys could be used to execute arbitrary code remotely, decrypt secrets, and perform other unauthorized actions.
Code quality platform Sonar, which identified the issue, said last week that successful exploitation of the bug could allow attackers to read build artifacts, passwords, project secrets, SSH keys, source code, and other sensitive information.
Within days after Jenkins announced patches for this and several other vulnerabilities, and after Sonar published a technical writeup on CVE-2024-23897, PoC code targeting the critical issue was published on GitHub, easing the path to malicious exploitation.
The PoC code allows authenticated attackers to retrieve the full contents of files, while unauthenticated attackers can use it to read the first three lines of a file.
Organizations are urged to update to Jenkins versions 2.442 or LTS 2.426.3, which resolve the bug by disabling the problematic feature in the command parser. As a temporary workaround, administrators can disable access to the built-in command line interface (CLI) of Jenkins, which prevents exploitation.
Designed for building, deploying, and automating software projects, Jenkins had anestimated 44% share of the continuous integration and continuous delivery (CI/CD) market last year, making it a highly attractive target for threat actors.