CISA Adds Jenkins CLI Path Traversal Vulnerability to Known Exploited Vulnerabilities Catalogue

Introduction

On August 19, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) added a new vulnerability, CVE-2024-23897, to its Known Exploited Vulnerabilities (KEV) Catalog. This vulnerability, which affects the Jenkins Command Line Interface (CLI), poses a critical security risk because it allows unauthenticated attackers to read arbitrary files on the Jenkins controller file system. The addition underscores the ongoing threat these types of vulnerabilities pose to organizations.

Report Overview

The vulnerability was identified in Jenkins versions 2.441 and earlier and LTS versions 2.426.2 and earlier. Jenkins, a widely used automation server in software development, includes a CLI feature that, if exploited, can allow unauthorized access to sensitive data on the Jenkins controller. Yaniv Nizry from SonarSource discovered and reported the vulnerability.

CVE-2024-23897 is a path traversal vulnerability originating from a feature in Jenkins' CLI command parser. This parser interprets an '@' character followed by a file path in an argument as a command to replace the file's contents. When exploited, this feature allows attackers to read arbitrary files from the Jenkins controller, potentially leading to severe consequences such as unauthorized data access and remote code execution (RCE).

The CLI feature is enabled by default in affected Jenkins versions. Attackers can leverage this vulnerability without needing authentication, making it particularly dangerous. The Jenkins security advisory outlines several scenarios where this vulnerability could be exploited to gain unauthorized access or perform malicious actions on affected Jenkins instances.

The impact of this vulnerability is significant. Given the critical CVSS score of 9.8, organizations using Jenkins in the affected versions are at high risk. The vulnerability could allow attackers to access confidential information stored on the Jenkins controller, including cryptographic keys, configuration files, etc. This access could lead to further exploitation, such as RCE, using the obtained information to forge cookies, bypass authentication mechanisms, or inject malicious code.

Insights and Analysis

CISA's addition of CVE-2024-23897 to the KEV Catalog emphasizes the importance of addressing this vulnerability promptly. The Binding Operational Directive (BOD) 22-01 mandates that Federal Civilian Executive Branch (FCEB) agencies remediate vulnerabilities listed in the catalogue by the specified due dates. While this directive applies to FCEB agencies, CISA strongly urges all organizations to prioritize patching this vulnerability as part of their vulnerability management practices to mitigate potential risks.

To protect against the exploitation of CVE-2024-23897, organizations using Jenkins should immediately update to the fixed versions—Jenkins 2.442 or LTS 2.426.3 and later. Disabling the CLI feature can also serve as a temporary mitigation until the patch can be applied. Organizations should regularly monitor CISA's KEV Catalog and promptly address any newly added vulnerabilities to reduce exposure to active threats.

The discovery of the Jenkins CLI path traversal vulnerability highlights the ongoing need for vigilant security practices. By keeping systems updated and adhering to CISA's guidelines, organizations can better defend against these critical threats and maintain the security of their IT environments.

Indicators of Compromise (IOC)

MITRE ATT&CK Mapping

References

CISA Adds One Known Exploited Vulnerability to Catalog | CISA

Cybersecurity and Infrastructure Security Agency CISA

Jenkins Security Advisory 2024-01-24

Jenkins – an open source automation server which enables developers around the world to reliably build, test, and deploy their software

Jenkins Security Advisory 2024-01-24

NVD - CVE-2024-23897

National Institute of Standards and Technology logo