Critical Jenkins RCE flaw exploited in the wild. Patch now! (CVE-2024-23897)
Several proof-of-concept (PoC) exploits for a recently patched critical vulnerability (CVE-2024-23897) in Jenkins have been made public and there’s evidence of exploitation in the wild.
About CVE-2024-23897
Jenkins is a widely used Java-based open-source automation server that helps developers build, test and deploy applications, enabling continuous integration (CI) and continuous delivery (CD).
CVE-2024-23897 is an arbitrary file read vulnerability in Jenkins’ built-in command line interface (CLI) that could allow an unauthenticated threat actor with Overall/Read permission to read arbitrary files on the Jenkins controller file system. Those without Overall/Read permission can read the first few lines of files.
“This vulnerability stems from the use of the args4j library for parsing command arguments and options on the Jenkins controller,” said penetration tester Maxime Paillé.
The vulnerability can also be exploited to read binary files containing cryptographic keys used for various Jenkins features (with some limitations), he says. Access to this sensitive information could lead to:
- Remote code execution via Resource Root URLs
- Remote code execution via “Remember me” cookie
- Remote code execution via stored cross-site scripting (XSS) attacks through build logs
- Remote code execution via CSRF protection bypass
- Decryption of secrets stored in Jenkins
- Deletion of any item in Jenkins
- Java heap dump download
Jenkins also disclosed CVE-2024-23898, a high-severity cross-site WebSocket hijacking vulnerability that could allow a threat actor to execute arbitrary CLI commands by tricking a victim to click on a malicious link.
Both vulnerabilities have been reported (and described) by SonarSource’s Vulnerability Research Team.
PoC exploits are public
PoCs for CVE-2024-23897 have been made public (1, 2) and could be leveraged by attackers to compromise unpatched Jenkins servers.
There have also been reports of the vulnerability being exploited in the wild.
Both vulnerabilities have been fixed in Jenkins 2.442 and LTS 2.426.3, so Jenkins users are urged to patch as soon as possible. Workarounds are also available.
UPDATE (January 30, 2024, 03:10 a.m. ET):
Shadowserver has found about 45,000 exposed Jenkins instances that are vulnerable to CVE-2024-23897.
UPDATE (August 14, 2024, 04:35 a.m. ET):
CVE-2024-23897 has been leveraged by the RansomEXX group to target Brontoo Technology Solutions with ransomware, and resulted in a disruption of retail payments in Indian banks.