A critical vulnerability in the built-in command line interface of Jenkins allows attackers to obtain cryptographic keys that can be used to execute arbitrary code remotely.
Unauthenticated attackers could exploit the security defect to read the first few lines of a file, while authenticated attackers, even those that only have 'read-only' permissions, can view the entire content of the file.
The flaw can be exploited to read the content of binary files that contain cryptographic keys which, under certain conditions, opens the door for several remote code execution scenarios and allows attackers to decrypt stored secrets, delete items in Jenkins, and download a Java heap dump of the Jenkins controller process.
By exploiting the bug, an attacker could read SSH keys, passwords, project secrets and credentials, source code, build artifacts, and other information, Sonar says.
Jenkins 2.442 and LTS 2.426.3 resolve the vulnerability by disabling the command parser feature.
If updating to the latest releases is not possible, administrators are advised to disable access to the Jenkins CLI, which prevents exploitation completely, but only as a temporary workaround.
The latest Jenkins versions also resolve two high-severity bugs, including a cross-site WebSocket hijacking bug leading to CLI command execution and an arbitrary file read in the Git Server Plugin that has an impact similar to that of CVE-2024-23897, but requires authentication for exploitation.
Jenkins also announced patches for several medium- and low-severity vulnerabilities in the open source automation server, as well as fixes for multiple high-severity vulnerabilities in various plugins, but warned that CVE-2024-23904, a Log Command Plugin flaw similar to CVE-2024-23897, remains unpatched.
This Cyber News was published on www.securityweek.com. Publication date: Fri, 26 Jan 2024 12:13:15 +0000