ExploitCVE-2024-23897
Path Traversal: 'dir/../../filename' (CWE-27)
Summary
Jenkins has a built-in command line interface (CLI) that allows attackers to read arbitrary files on the Jenkins controller file system by exploiting an insecure argument parsing library (args4j). The library has a feature that replaces an @ character followed by a file path with the file's contents, and this is enabled by default in affected versions. This vulnerability affects Jenkins 2.441 and earlier, and LTS 2.426.2 and earlier.
Impact
The impact of this vulnerability is severe. Attackers with Overall/Read permission can read entire files, including binary files containing cryptographic keys used for various Jenkins features. This can lead to exposure of sensitive data and potential compromise of the Jenkins instance. Even attackers without Overall/Read permission can read the first few lines of files, with the current assessment showing the ability to read at least the first three lines in recent Jenkins releases without any plugins installed. The vulnerability allows for reading of cryptographic keys from binary files, which can be leveraged for further attacks. The high EPSS score of 0.969020000 indicates a very high likelihood of active exploitation.
Exploitation
Multiple proof-of-concept exploits are available on github.com, packetstormsecurity.com, sonarsource.com, github.com. The vulnerability is actively being exploited in the wild and was added to the CISA Known Exploited Vulnerability list. Its exploitation has been reported by various sources, including sonarsource.com. Malware such as RansomEXX (Windows) (source:#ransomware) are known to have weaponized this vulnerability. Threat Actor IntelBroker (source:#threatintel) has been identified as exploiting this vulnerability.
Patch
Patches are available to address this vulnerability. Jenkins has released version 2.442 and LTS 2.426.3, which disable the insecure argument parsing behavior. Oracle has also released patches as part of their Critical Patch Update in July 2024.
Mitigation
To mitigate this vulnerability: 1. Update Jenkins to version 2.442 or 2.426.3 LTS immediately. 2. Restrict access to the Jenkins CLI to only trusted users and networks as an additional precaution. 3. Monitor for any suspicious activities or unauthorized access attempts. 4. Review and rotate any potentially compromised cryptographic keys or sensitive information that might have been exposed. 5. Implement the principle of least privilege for Jenkins users and regularly audit user permissions.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Timeline
NVD published the first details for CVE-2024-23897
Feedly found the first article mentioning CVE-2024-23897. See article
The vulnerability CVE-2024-23897 is a critical security flaw with a CVSS score. It is currently being exploited in the wild by unknown actors. There are no proof-of-concept exploits available, and no mitigations, detections, or patches have been released yet. The impact on downstream vendors or technology is unknown. See article
Detection for the vulnerability has been added to Nessus (189463)
Feedly estimated the CVSS score as MEDIUM
Feedly estimated the CVSS score as HIGH
Detection for the vulnerability has been added to Qualys (731109)
This CVE started to trend in security discussions