Critical Jenkins Vulnerability Leads to Remote Code Execution

Industry news
Post Reply
rbc
President
Posts: 299
Joined: Mon Oct 30, 2023 1:32 am
Location: Vicksburg, MS
ISC2 Member Status: Yes
Contact:

Critical Jenkins Vulnerability Leads to Remote Code Execution

Post by rbc »

A critical vulnerability in the built-in command line interface (CLI) of Jenkins allows attackers to obtain cryptographic keys that can be used to execute arbitrary code remotely.

The issue, tracked as CVE-2024-23897, impacts Jenkins 2.441 and earlier and LTS 2.426.2 and earlier, because the command parser (the args4j library) has a feature where an ‘@’ character followed by a file path in an argument is replaced with the file’s content.

“This allows attackers to read arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process,” Jenkins warns in its advisory.
[...]
Critical Jenkins Vulnerability Leads to Remote Code Execution
Robert B. Carleton + ISC2 Central Mississippi President
Post Reply