{"id":167267,"date":"2024-08-19T19:46:56","date_gmt":"2024-08-19T19:46:56","guid":{"rendered":"https:\/\/securityaffairs.com\/?p=167267"},"modified":"2024-08-19T19:46:58","modified_gmt":"2024-08-19T19:46:58","slug":"cisa-adds-jenkins-command-line-interface-cli-bug-to-its-known-exploited-vulnerabilities-catalog","status":"publish","type":"post","link":"https:\/\/securityaffairs.com\/167267\/hacking\/cisa-adds-jenkins-command-line-interface-cli-bug-to-its-known-exploited-vulnerabilities-catalog.html","title":{"rendered":"CISA adds Jenkins Command Line Interface (CLI) bug to its Known Exploited Vulnerabilities catalog"},"content":{"rendered":"
<\/div>\n

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Jenkins Command Line Interface (CLI) bug to its Known Exploited Vulnerabilities catalog.<\/h2>\n\n\n\n

The U.S. Cybersecurity and Infrastructure Security Agency (CISA)\u00a0added<\/a> a Jenkins Command Line Interface (CLI) Path Traversal vulnerability, tracked as CVE-2024-23897<\/a>\u00a0(CVSS score of 9.8), to its Known Exploited Vulnerabilities (KEV) catalog<\/a>.<\/p>\n\n\n\n

In January 2024, researchers warned<\/a> that several proof-of-concept (PoC) exploits targeting the recently disclosed critical Jenkins vulnerability,\u00a0CVE-2024-23897<\/a>, have been made public.<\/gwmw><\/p>\n\n\n\n

Jenkins is the most popular open source automation server, it is maintained by CloudBees and the Jenkins community. The automation server supports developers build, test and deploy their applications, it has hundreds of thousands of active installations worldwide with more than 1 million users.<\/p>\n\n\n\n

The maintainers of the open-source platform have addressed nine security vulnerabilities, including a critical flaw, tracked as CVE-2024-23897<\/strong><\/a>, that could lead to remote code execution (RCE). The vulnerability was reported by the researcher Yaniv Nizry from Sonar<\/a> who wrote a detailed analysis<\/a> of the issue.<\/p>\n\n\n\n

Jenkins has a built-in command line interface (CLI)<\/a> to access the platform from a script or shell environment. The open-source software uses the args4j library<\/a> to parse CLI command arguments and options on the Jenkins controller. The parser uses a functionality that replaces the \u2018@\u2019 character followed by a file path in an argument with the content of the file (\u2018expandAtFiles\u2019). This feature is enabled by default and Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable it.<\/p>\n\n\n\n

An attacker can abuse the default character encoding of the Jenkins controller process to read arbitrary files on the controller file system.<\/p>\n\n\n\n

An attacker with \u201cOverall\/Read\u201d permission can read entire files, while an attacker without it can read the first three lines of the files depending on the CLI commands.<\/p>\n\n\n\n

The maintainers pointed out<\/a> that exploiting this flaw makes it possible to read binary files containing cryptographic keys used for various Jenkins features, even with some limitations.<\/p>\n\n\n\n

The popular cyberesecurity researcher Florian Roth warned that a couple of weaponized PoC exploits have been released.<\/p>\n\n\n\n

\n

This vulnerability in #Jenkins<\/a> is serious CVE-2024-23897

POCs have been published https:\/\/t.co\/nGtbf8fehd<\/a>https:\/\/t.co\/pzY0NSL5bA<\/a>

report by @SonarSource<\/a> https:\/\/t.co\/VNAUg2PDN8<\/a> pic.twitter.com\/vbiWGmj47M<\/a><\/p>— Florian Roth (@cyb3rops) January 26, 2024<\/a><\/blockquote>