The vulnerability arises from the use of the args4j library in Jenkins, which parses command arguments and options during the processing of CLI commands. A specific feature within this library, known as expandAtFiles, is enabled by default, allowing attackers to read arbitrary files on the Jenkins controller file system by manipulating file paths in arguments. Jenkins versions 2.441 and earlier, as well as LTS 2.426.2 and earlier, do not disable this feature.

Security researchers highlight the potential severity of this issue, as threat actors could leverage the vulnerability to access Jenkins secrets, enabling them to escalate privileges to admin status and potentially execute arbitrary code on the server.

Widespread Jenkins use

Given Jenkins’ widespread use for building, deploying, and automating software projects, an attacker gaining remote control over these environments could compromise new software builds with malicious code, posing a significant threat to digital supply chain security.

Jenkins has released patches for CVE-2024-23897 and another vulnerability, CVE-2024-23898 (cross-site WebSocket hijacking), along with workarounds and detailed information on exploitation methods. Immediate action is recommended, and developers can apply the fixes by updating to Jenkins versions 2.442 and LTS 2.426.3.

Despite these patches, alarming statistics reveal that over 75,000 Jenkins servers worldwide remain exposed and unpatched. Exploits for these vulnerabilities have been published on GitHub, emphasizing the urgency for the community to address this security issue promptly.