January 25, 2024 at 11:38AM
Jenkins recently resolved nine security flaws, including a critical bug (CVE-2024-23897) enabling remote code execution. An arbitrary file read vulnerability through the command line interface was identified. Attackers could exploit this to read arbitrary files on the Jenkins controller file system. The flaw was discovered by Yaniv Nizry and fixed in Jenkins 2.442, LTS 2.426.3. Turning off CLI access is recommended until the patch is applied.
Key Takeaways from the Meeting Notes on Newsroom Vulnerability / Software Security:
1. The maintainers of CI/CD automation software Jenkins have resolved nine security flaws, including a critical bug (CVE-2024-23897) that could lead to remote code execution (RCE) through the built-in command line interface (CLI).
2. The flaw allows threat actors to read arbitrary files on the Jenkins controller file system, with different permissions allowing access to varying amounts of file content.
3. The vulnerability could potentially be exploited to extract binary secrets, leading to various attacks such as remote code execution and decryption of stored secrets.
4. Security researcher Yaniv Nizry was credited with discovering and reporting the flaw, leading to a fix in Jenkins 2.442 and LTS 2.426.3.
5. As a short-term fix, it is recommended to turn off access to the CLI until the patch can be applied.
6. The recent security fix follows a previous resolution of severe vulnerabilities (CVE-2023-27898 and CVE-2023-27905) in Jenkins.
Feel free to follow us on Twitter and LinkedIn for more exclusive content.