1. About the Vulnerability
| Vulnerability Name |
Jenkins Arbitrary File Read Vulnerability (CVE-2024-23897) |
|---|---|
| Release Date |
January 27, 2024 |
| Component Name |
Jenkins |
| Affected Versions |
Jenkins ≤ 2.441 |
| Vulnerability Type |
Arbitrary File Read |
| Severity |
CVSS v3 Base Score: 9.8 (Critical) |
| Exploitability |
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None |
| Impact |
Confidentiality Impact: High Integrity Impact: High Availability Impact: High |
2. About CVE-2024-23897
2.1 About the Component
Jenkins (formerly known as Hudson) is an open-source, Java-based tool for continuous integration. It is mainly used for monitoring continuous software version releases and testing projects and for managing scheduled tasks.
2.2 About the Vulnerability
On January 26, 2024, Sangfor FarSight Labs received notification of the arbitrary file read vulnerability (CVE-2024-23897) in Jenkins, classified as critical (CVSS Score 9.8) by Jenkins.
This vulnerability is caused by an error in the CLI command parser in affected versions of Jenkins. Specifically, the CLI command parser has a feature that replaces an '@' character followed by a file path in an argument with the file's contents. Attackers can exploit this vulnerability by crafting malicious data, resulting in unauthorized access to arbitrary files and potential leakage of sensitive information stored on the server.
3. Affected Versions
VMware Aria Automation 8.14.x
Jenkins ≤ 2.441 Jenkins ≤ LTS 2.426.2
4. Solutions
4.1 Remediation Solutions
4.1.1 Official Solution
Jenkins has released new versions, and affected users are strongly recommended to update to the latest version to fix the vulnerability. For more information, visit https://www.jenkins.io/security/advisory/2024-01-24/
4.2 Sangfor Solutions
4.2.1 Security Monitoring
The following Sangfor products and services perform real-time monitoring of assets affected by the Jenkins arbitrary file read vulnerability (CVE-2024-23897):
- Sangfor Cyber Command (Network Detection and Response)
- Sangfor Cyber Guardian (Managed Detection and Response)
4.2.2 Security Protection
The following Sangfor products and services provide protection against the Jenkins arbitrary file read vulnerability (CVE-2024-23897):
- Sangfor Network Secure (Next-Generation Firewall)
- Sangfor Cyber Guardian (Managed Detection and Response)
5. Timeline
On January 26, 2024, Sangfor FarSight Labs received notification of the Jenkins arbitrary file read vulnerability (CVE-2024-23897).
On January 27, 2024, Sangfor FarSight Labs released a vulnerability alert with remediation solutions.
6. References
https://www.jenkins.io/security/advisory/2024-01-24/
7. About Sangfor FarSight Labs
Sangfor FarSight Labs researches the latest cyberthreats and unknown zero-day vulnerabilities, alerting customers to potential dangers to their organizations, and providing real-time solutions with actionable intelligence. Sangfor FarSight Labs works with other security vendors and the security community at large to identify and verify global cyberthreats, providing fast and easy protection for customers.
