search

Jenkins - CVE-2024-23897

hashtag
Data Leak Vulnerability (fixed in version 2.442, and LTS 2.426.3)

Using Jenkins-CLIarrow-up-right it's possible to leak data from the affected host.

When invoking a CLI command with arguments, we have noticed that Jenkins uses args4j’sarrow-up-right parseArgumentarrow-up-right, which callsarrow-up-right expandAtFilesarrow-up-right:

private String[] expandAtFiles(String args[]) throws CmdLineException {
    List<String> result = new ArrayList<String>();
    for (String arg : args) {
        if (arg.startsWith("@")) {
            File file = new File(arg.substring(1));
            if (!file.exists())
                throw new CmdLineException(this,Messages.NO_SUCH_FILE,file.getPath());
            try {
                result.addAll(readAllLines(file));
            } catch (IOException ex) {
                throw new CmdLineException(this, "Failed to parse "+file,ex);
            }
        } else {
            result.add(arg);
        }
    }
    return result.toArray(new String[result.size()]);
}

The function checks if the argument starts with the @ character, and if so, it reads the file in the path after the @ and expands a new argument for each line.

This means that if an attacker can control an argument, they can expand it to an arbitrary number of ones from an arbitrary file on the Jenkins instance.

hashtag
POC

Download the Jenkins CLI tool:

  1. Authenticated, retrieve complete file:

  1. Unauthenticated or missing Global/Read permissions, read ..

.. first line:

.. second line:

.. third line:

Credits: https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/arrow-up-right

Last updated