CISA Adds Jenkins CLI Path Traversal Vulnerability to Known Exploited Vulnerabilities Catalogue
On August 19, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) added a new vulnerability, CVE-2024-23897, to its Known Exploited Vulnerabilities (KEV) Catalog.
Introduction
On August 19, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) added a new vulnerability, CVE-2024-23897, to its Known Exploited Vulnerabilities (KEV) Catalog. This vulnerability, which affects the Jenkins Command Line Interface (CLI), poses a critical security risk because it allows unauthenticated attackers to read arbitrary files on the Jenkins controller file system. The addition underscores the ongoing threat these types of vulnerabilities pose to organizations.
Report Overview
The vulnerability was identified in Jenkins versions 2.441 and earlier and LTS versions 2.426.2 and earlier. Jenkins, a widely used automation server in software development, includes a CLI feature that, if exploited, can allow unauthorized access to sensitive data on the Jenkins controller. Yaniv Nizry from SonarSource discovered and reported the vulnerability.
CVE-2024-23897 is a path traversal vulnerability originating from a feature in Jenkins' CLI command parser. This parser interprets an '@' character followed by a file path in an argument as a command to replace the file's contents. When exploited, this feature allows attackers to read arbitrary files from the Jenkins controller, potentially leading to severe consequences such as unauthorized data access and remote code execution (RCE).
The CLI feature is enabled by default in affected Jenkins versions. Attackers can leverage this vulnerability without needing authentication, making it particularly dangerous. The Jenkins security advisory outlines several scenarios where this vulnerability could be exploited to gain unauthorized access or perform malicious actions on affected Jenkins instances.
The impact of this vulnerability is significant. Given the critical CVSS score of 9.8, organizations using Jenkins in the affected versions are at high risk. The vulnerability could allow attackers to access confidential information stored on the Jenkins controller, including cryptographic keys, configuration files, etc. This access could lead to further exploitation, such as RCE, using the obtained information to forge cookies, bypass authentication mechanisms, or inject malicious code.
Insights and Analysis
CISA's addition of CVE-2024-23897 to the KEV Catalog emphasizes the importance of addressing this vulnerability promptly. The Binding Operational Directive (BOD) 22-01 mandates that Federal Civilian Executive Branch (FCEB) agencies remediate vulnerabilities listed in the catalogue by the specified due dates. While this directive applies to FCEB agencies, CISA strongly urges all organizations to prioritize patching this vulnerability as part of their vulnerability management practices to mitigate potential risks.
To protect against the exploitation of CVE-2024-23897, organizations using Jenkins should immediately update to the fixed versions—Jenkins 2.442 or LTS 2.426.3 and later. Disabling the CLI feature can also serve as a temporary mitigation until the patch can be applied. Organizations should regularly monitor CISA's KEV Catalog and promptly address any newly added vulnerabilities to reduce exposure to active threats.
The discovery of the Jenkins CLI path traversal vulnerability highlights the ongoing need for vigilant security practices. By keeping systems updated and adhering to CISA's guidelines, organizations can better defend against these critical threats and maintain the security of their IT environments.
Indicators of Compromise (IOC)
Indicator | Type | Description |
---|---|---|
Unauthorized access to files via Jenkins CLI | File Access | An attacker reading arbitrary files on the Jenkins controller file system using the CLI, particularly when '@' is used in command arguments. |
Use of Jenkins CLI commands by unauthorized users | Command | Unauthenticated or unauthorized usage of Jenkins CLI commands, indicating possible exploitation of the vulnerability. |
Retrieval of binary secrets or cryptographic keys | Data Exfiltration | Unauthorized access or retrieval of binary files containing sensitive information such as cryptographic keys from the Jenkins controller. |
MITRE ATT&CK Mapping
Tactic | Technique | ID | Description |
---|---|---|---|
Initial Access | Exploit Public-Facing Application | T1190 | Exploiting vulnerabilities in Jenkins to gain unauthorized access through its CLI, potentially via path traversal. |
Execution | Command and Scripting Interpreter | T1059.001 | Using Jenkins CLI to execute commands, potentially leading to remote code execution on the Jenkins controller. |
Collection | Data from Local System | T1005 | Reading sensitive files on the Jenkins controller to collect data such as configuration files or cryptographic keys. |
Impact | Data Manipulation | T1565 | Potential manipulation of files or data on the Jenkins controller after gaining access through the CLI vulnerability. |
Comments ()