CVE-2024-23897: Assessing the Impact of the Jenkins Arbitrary File Leak Vulnerability

Last Wednesday, on January 24, 2024, the Jenkins team issued a security advisory disclosing a critical vulnerability, CVE-2024-23897, affecting the Jenkins CI/CD tool.
This advisory set off alarm bells among the infosec community because the potential impact is huge: Jenkins is widely deployed, with tens of thousands of public-facing installs, and the Jenkins advisory was clear that this vulnerability could lead to remote code execution.
Jenkins is a common target for attackers, and, as of this writing, there are four prior Jenkins-related vulnerabilities in CISA's catalog of Known Exploited Vulnerabilities.
Our advice for users of Jenkins is don't panic unless you need to.
The typical Jenkins install will not be exploitable by unauthenticated attackers.
CVE-2023-23897 resides in the Jenkins CLI, an alternative way for users to interact with Jenkins without going through web interface.
An unauthenticated attacker with no permissions can leak the first couple of lines of arbitrary text files on a vulnerable Jenkins server.
There are two dangerous Jenkins configuration options that allow unauthenticated attackers to effectively act like authenticated attackers.
Binary files can also be read but the Jenkins server will try to convert them into text, using the default character encoding set defined for the Jenkins server.
According to the Jenkins advisory, if Jenkins is running on Linux, where the default character encoding set is UTF-8, on average half the characters in binary files will end up being mangled.
If Jenkins is running on Windows, where the default character encoding set is Windows 1252, a much smaller percentage of the characters would be mangled on average.
Secret file is a small binary file that contains an encrypted key used to encrypt other secrets.
Risk Matrix Jenkins Server Running on Linux Jenkins Server Running on Windows Attacker has no permissions Risk: Low Risk: Moderate Can only read the first few lines of arbitrary text files.
Binary files can't be read. The Jenkins master.
If it's possible to read secrets stored in binary files, an attacker can dump all credentials stored in Jenkins.
Cred dumping only requires three files from the Jenkins server: the master.
This is the score we'd expect for typical Jenkins installs that haven't been patched for this vulnerability but are using default configuration options and are running on Linux.
Finally, it's not always possible to exploit this vulnerability, particularly if the Jenkins server is running behind a reverse proxy.
Updating to at least Jenkins versions 2.442 and 2.426.3 will address this vulnerability.
The post CVE-2024-23897: Assessing the Impact of the Jenkins Arbitrary File Leak Vulnerability appeared first on Horizon3.


This Cyber News was published on securityboulevard.com. Publication date: Mon, 29 Jan 2024 20:43:03 +0000


Cyber News related to CVE-2024-23897: Assessing the Impact of the Jenkins Arbitrary File Leak Vulnerability

CVE-2024-23897: Assessing the Impact of the Jenkins Arbitrary File Leak Vulnerability - Last Wednesday, on January 24, 2024, the Jenkins team issued a security advisory disclosing a critical vulnerability, CVE-2024-23897, affecting the Jenkins CI/CD tool. This advisory set off alarm bells among the infosec community because the ...
10 months ago Securityboulevard.com
PoC Exploits Heighten Risks Around Critical New Jenkins Vuln - Internet-exposed Jenkins servers remain unpatched against a critical, recently disclosed arbitrary file-read vulnerability for which proof-of-exploit code is now publicly available. CVE-2024-23897 affects the built-in Jenkins command line interface ...
10 months ago Darkreading.com
45k Jenkins servers exposed to RCE attacks using public exploits - Researchers found roughly 45,000 Jenkins instances exposed online that are vulnerable to CVE-2023-23897, a critical remote code execution flaw for which multiple public proof-of-concept exploits are in circulation. Jenkins is a leading open-source ...
10 months ago Bleepingcomputer.com
Exploits released for critical Jenkins RCE flaw, patch now - Multiple proof-of-concept exploits for a critical Jenkins vulnerability allowing unauthenticated attackers to read arbitrary files have been made publicly available, with some researchers reporting attackers actively exploiting the flaws in attacks. ...
10 months ago Bleepingcomputer.com
Critical Jenkins Vulnerability Leads to Remote Code Execution - A critical vulnerability in the built-in command line interface of Jenkins allows attackers to obtain cryptographic keys that can be used to execute arbitrary code remotely. Unauthenticated attackers could exploit the security defect to read the ...
10 months ago Securityweek.com
Weekly Vulnerability Recap 2/5/24: Azure, Apple, Ivanti & Mastodon - A coding vulnerability in Microsoft's Azure Pipelines affected 70,000 open-source projects. With the recent surge in critical vulnerabilities, organizations should regularly update and patch software, and perform routine vulnerability assessments and ...
10 months ago Esecurityplanet.com
CI/CD at Risk as Exploits Released For Critical Jenkins Bug - Software developers have been told to urgently patch their Jenkins servers after exploits were published for a new critical vulnerability in the product. Even those without these permissions would be able to read the first few lines of files, ...
10 months ago Infosecurity-magazine.com
Boeing assessing Lockbit hacking gang threat of sensitive data leak - SAN FRANCISCO, Oct 27 - Boeing Co said on Friday it was assessing a claim made by the Lockbit cybercrime gang that it had "a tremendous amount" of sensitive data stolen from the aerospace giant that it would dump online if Boeing didn't pay ransom by ...
1 year ago Reuters.com
EU Launches Investigation Into TikTok Over Privacy Concerns - The EU has opened an investigation into TikTok over concerns around the protection of minors, advertising policy and privacy. The European Commission announced on February 19 that it was opening formal proceedings to assess whether the social media ...
10 months ago Infosecurity-magazine.com
Purpose. Partnership. Impact. - Last month, Cisco announced we exceeded our ten-year goal to positively impact one billion lives - more than one year early. The announcement was just the first step in our commitment to share the stories within our journey to one billion lives, and ...
11 months ago Feedpress.me
CVE-2019-1003023 - A cross-site scripting vulnerability exists in Jenkins Warnings Next Generation Plugin 1.0.1 and earlier in src/main/java/io/jenkins/plugins/analysis/core/model/DetailsTableModel.java, ...
1 year ago
CVE-2019-1003013 - An cross-site scripting vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/Export.java, ...
1 year ago
Vulnerability Summary for the Week of March 11, 2024 - Published 2024-03-15 CVSS Score not yet calculated Source & Patch Info CVE-2021-47111416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 PrimaryVendor - Product linux - linux Description In the ...
9 months ago Cisa.gov
Yamaha Motor confirms ransomware attack on Philippines subsidiary - Yamaha Motor's Philippines motorcycle manufacturing subsidiary was hit by a ransomware attack last month, resulting in the theft and leak of some employees' personal information. "One of the servers managed by [.] motorcycle manufacturing and sales ...
1 year ago Bleepingcomputer.com
CVE-2024-23897 - Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to ...
9 months ago
CVE-2018-6356 - Jenkins before 2.107 and Jenkins LTS before 2.89.4 did not properly prevent specifying relative paths that escape a base directory for URLs accessing plugin resource files. This allowed users with Overall/Read permission to download files from the ...
2 years ago
US Supreme Court Leak Investigation Highlights Weak and Ineffective Risk Management Strategy - A recent US Supreme Court leak investigation has highlighted a number of weaknesses in the existing risk management strategy. The investigation has revealed that there were no controls in place to prevent the leak from taking place and the risk ...
1 year ago Csoonline.com
Zoom launches Open-source Vulnerability Impact Scoring System - Zoom, the popular video conferencing platform, has recently announced the launch of its Open-Source Vulnerability Impact Scoring System. This system is designed to provide a standardized method for evaluating the impact of vulnerabilities discovered ...
1 year ago Cybersecuritynews.com
New CVSS 4.0 vulnerability severity rating standard released - The Forum of Incident Response and Security Teams has officially released CVSS v4.0, the next generation of its Common Vulnerability Scoring System standard, eight years after CVSS v3.0, the previous major version. CVSS is a standardized framework ...
1 year ago Bleepingcomputer.com
CVE-2019-1003016 - An exposure of sensitive information vulnerability exists in Jenkins Job Import Plugin 2.1 and earlier in src/main/java/org/jenkins/ci/plugins/jobimport/JobImportAction.java, src/main/java/org/jenkins/ci/plugins/jobimport/JobImportGlobalConfig.java, ...
1 year ago
Securing Gold: Assessing Cyber Threats on Paris 2024 - The next Olympic Games hosted in Paris will take place from 26 July to 11 August 2024, while the Paralympic Games will be carried out from 28 August to 8 September 2024. Paris 2024 estimated the number of spectators for the next edition to be 9,7 ...
11 months ago Blog.sekoia.io
Vulnerability Summary for the Week of January 15, 2024 - This vulnerability affected all versions of GitHub Enterprise Server and was fixed in versions 3.11.3, 3.10.5, 3.9.8, and 3.8.13 This vulnerability was reported via the GitHub Bug Bounty program. Successful attacks require human interaction from a ...
11 months ago Cisa.gov
AWS LetsEncrypt Lambda: Custom TLS Provider - DZone - Trying to renew ... INFO[0000] Checking certificate for domain 'hackernoon.referrs.me' with arn 'arn:aws:acm:us-east-2:004867756392:certificate/72f872fd-e577-43f4-ae38-6833962630af' INFO[0000] Certificate status is 'ISSUED' INFO[0000] Certificate in ...
2 months ago Feeds.dzone.com
Cybersecurity Performance Goals: Assessing How CPGs Help Organizations Reduce Cyber Risk - In October 2022, CISA released the Cybersecurity Performance Goals to help organizations of all sizes and at all levels of cyber maturity become confident in their cybersecurity posture and reduce business risk. Earlier this summer, CISA outlined ...
1 year ago Cisa.gov
Yandex Denies Hack, Blames Source Code Leak On Former Employee - Recently, Russian search technology giant Yandex has come into the news due to a cyber attack, with Yandex denying the hack and blaming the source code leak on a former employee. This attack has become the latest in a string of high-profile breaches ...
1 year ago Bleepingcomputer.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)