CI/CD at Risk as Exploits Released For Critical Jenkins Bug

Software developers have been told to urgently patch their Jenkins servers after exploits were published for a new critical vulnerability in the product.

CVE-2024-23897 could allow unauthenticated attackers with “overall/read” permission to read arbitrary files on the Jenkins controller file system. Even those without these permissions would be able to read the first few lines of files, according to Jenkins.

“Jenkins uses the args4j library to parse command arguments and options on the Jenkins controller when processing CLI commands. This command parser has a feature that replaces an @ character followed by a file path in an argument with the file’s contents (expandAtFiles). This feature is enabled by default and Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable it,” explained the advisory.

“This allows attackers to read arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process.”

Read more on Jenkins: DevOps Alert: 12,000 Jenkins Servers Exposed to DoS Attacks

According to researchers at SonarSource, threat actors could exploit the vulnerability to read Jenkins secrets, in order to “escalate privileges to admin and eventually execute arbitrary code on the server.”

This matters, because Jenkins is described as one of the most popular open source automation server offerings widely used for building, deploying and automating software projects. It has a market share of around 44% in the Continuous Integration and Continuous Deployment (CI/CD) software space, according to SonarSource.

If an attacker could gain remote control of these developer environments, they could theoretically plant malicious code in new software builds, for use in digital supply chain attacks.

Jenkins last week released patches for both CVE-2024-23897 and another vulnerability, cross-site WebSocket hijacking bug CVE-2024-23898, as well as workarounds and more information on exploitation methods. Versions 2.442 and LTS 2.426.3 are available to fix these two bugs now.

However, Shodan searches on Friday revealed over 75,000 exposed and unpatched Jenkins servers worldwide.

Exploits were published to GitHub over the weekend.