Jenkins Vulnerability Alert | January 2024

Jenkins Vulnerability Overview

Update August 21, 2024:

CVE-2024-23897 is actively being exploited by malicious threat actors and was recently added to the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerability list. CVE-2024-23897 could allow an unauthenticated attacker to gain limited read access to certain files, which can lead to code execution. This could lead to serious incidents such as data theft or ransomware. If your organization has not already, we recommend taking mitigating action immediately.

Background Information

On January 24th, 2024 Jenkins released an advisory detailing a serious security flaw (CVE-2024-0204) in their open-source automation server. Jenkins is a tool often used by organizations for software development and collaboration. The vulnerability allows a remote attacker to read files or execute arbitrary code. Corvus has observed similar vulnerabilities lead to exploitation in the past. Security patches have been released and should be applied as soon as possible.

Impact of the Vulnerability

The vulnerability affects Jenkins instances running the following versions:

• Jenkins 2.441 and earlier

• Jenkins LTS 2.426.2 and earlier

Attackers can read files and execute arbitrary code or commands against unpatched devices, gaining a foothold into the network. From there the attacker would be able to conduct further exploitation and potentially move around the network. Impacted organizations should apply a security patch immediately.

Next Steps for Jenkins Customers:

1. Download and install the latest version of the affected products:

   1. Jenkins should be updated to Jenkins 2.442

   2. Jenkins LTS should be updated to version 2.426.3

2. If you aren’t able to patch, the Jenkins team has provided the following mitigation option:

   1. Disable access to the CLI (see here for documentation on this workaround).