A critical vulnerability in the built-in command line interface (CLI) of Jenkins allows attackers to obtain cryptographic keys that can be used to execute arbitrary code remotely.
The issue, tracked as CVE-2024-23897, impacts Jenkins 2.441 and earlier and LTS 2.426.2 and earlier, because the command parser (the args4j library) has a feature where an ‘@’ character followed by a file path in an argument is replaced with the file’s content.
“This allows attackers to read arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process,” Jenkins warns in its advisory.
[...]
Critical Jenkins Vulnerability Leads to Remote Code Execution
Critical Jenkins Vulnerability Leads to Remote Code Execution
-
rbc
- President
- Posts: 273
- Joined: Mon Oct 30, 2023 1:32 am
- Location: Vicksburg, MS
- ISC2 Member Status: Yes
- Contact:
Critical Jenkins Vulnerability Leads to Remote Code Execution
Robert B. Carleton + ISC2 Central Mississippi President