Home CI/CD at risk, critical Jenkins bug

CI/CD at risk, critical Jenkins bug

January 29th — Software developers are advised to promptly update their Jenkins servers in response to the discovery of a critical vulnerability, CVE-2024-23897.

This vulnerability could potentially allow unauthorized attackers, even those without specific permissions, to read arbitrary files on the Jenkins controller file system.

Jenkins, a widely used open-source automation server in the Continuous Integration and Continuous Deployment (CI/CD) software space with a market share of approximately 44%, is highly susceptible to this exploit.

Args4j Jenkins library

The vulnerability arises from the use of the args4j library in Jenkins, which parses command arguments and options during the processing of CLI commands. A specific feature within this library, known as expandAtFiles, is enabled by default, allowing attackers to read arbitrary files on the Jenkins controller file system by manipulating file paths in arguments. Jenkins versions 2.441 and earlier, as well as LTS 2.426.2 and earlier, do not disable this feature.

Security researchers highlight the potential severity of this issue, as threat actors could leverage the vulnerability to access Jenkins secrets, enabling them to escalate privileges to admin status and potentially execute arbitrary code on the server.

Widespread Jenkins use

Given Jenkins’ widespread use for building, deploying, and automating software projects, an attacker gaining remote control over these environments could compromise new software builds with malicious code, posing a significant threat to digital supply chain security.

Jenkins has released patches for CVE-2024-23897 and another vulnerability, CVE-2024-23898 (cross-site WebSocket hijacking), along with workarounds and detailed information on exploitation methods. Immediate action is recommended, and developers can apply the fixes by updating to Jenkins versions 2.442 and LTS 2.426.3.

Despite these patches, alarming statistics reveal that over 75,000 Jenkins servers worldwide remain exposed and unpatched. Exploits for these vulnerabilities have been published on GitHub, emphasizing the urgency for the community to address this security issue promptly.

Related resources