Critical Jenkins Vulnerability Leads to Remote Code Execution
Posted: Fri Jan 26, 2024 12:15 pm
A critical vulnerability in the built-in command line interface (CLI) of Jenkins allows attackers to obtain cryptographic keys that can be used to execute arbitrary code remotely.
The issue, tracked as CVE-2024-23897, impacts Jenkins 2.441 and earlier and LTS 2.426.2 and earlier, because the command parser (the args4j library) has a feature where an ‘@’ character followed by a file path in an argument is replaced with the file’s content.
“This allows attackers to read arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process,” Jenkins warns in its advisory.
[...]
Critical Jenkins Vulnerability Leads to Remote Code Execution
The issue, tracked as CVE-2024-23897, impacts Jenkins 2.441 and earlier and LTS 2.426.2 and earlier, because the command parser (the args4j library) has a feature where an ‘@’ character followed by a file path in an argument is replaced with the file’s content.
“This allows attackers to read arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process,” Jenkins warns in its advisory.
[...]
Critical Jenkins Vulnerability Leads to Remote Code Execution