Jenkins fixes a critical issue allowing unauthenticated access to controller
Take action: If you are using Jenkins, patch to the Jenkins 2.442 and LTS 2.426.3 versions, or implement a workaround which disables the CLI. This is now urgent, since PoC is public.
Learn More
The Jenkins project recently issued a critical update for Jenkins core and several plugins, addressing multiple security vulnerabilities, including one that could lead to remote code execution. The critical issue is tracked as CVE-2024-23897 (CVSS score 9.8), is an arbitrary file read vulnerability in Jenkins core, enabling unauthenticated remote attackers to read files on the Jenkins controller via the command line interface. This flaw exploits the args4j library's feature in Jenkins, which is enabled by default and was not disabled before version 2.442.
The vulnerability could potentially allow attackers to obtain sensitive information or secrets, leading to actions like forging "Remember Me" cookies, decrypting encrypted secrets, deleting items, or downloading heap dumps. Affected versions include all Jenkins weekly up to 2.441 and Jenkins LTS up to 2.426.2.
A workaround mitigation involves disabling the CLI access
Update - several PoC exploits are already released on Github here and here. They are useful for checking whether your instance is vulnerable, but also expect that people will use it as a starting point for an automated attack. Also, Jenkins honeypots have already detected active attacks. PATCH NOW.
Apart from CVE-2024-23897, the update also addresses a high-severity cross-site WebSocket hijacking issue in the Jenkins CLI (CVE-2024-23898) and vulnerabilities in several plugins that could lead to remote code execution, such as CVE-2024-23899 in the Git Server Plugin and CVE-2024-23904 in the Log Command Plugin.
