Multiple vulnerabilities in Jenkins products


The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) has released an alert stating it is tracking multiple vulnerabilities impacting Jenkins products which could result in Remote Code Execution and Cross-site WebSocket hijacking.

CVE-2024-23897 refers to Critical vulnerability in the command line interface command parser allowing attackers to read arbitrary files on the Jenkins controller file system, resulting in possible Remote Code Execution.

CVE-2024-23898 refers to a High Severity vulnerability which enables cross-site WebSocket Hijacking in the command line interface, resulting in the potential for threat actors to execute CLI commands on the Jenkins controller.

ASD’s ACSC is also tracking CVE-2024-23899, CVE-2024-23900, CVE-2024-23901, CVE-2024-23901, 2024-23902, 2024-23903, CVE-2023-6148, CVE-2023-6147, CVE-2024-23905 and CVE-2024-23904 affecting Jenkins products.

A full list of affected versions can be found in Jenkins Customer Advisory.

ASD’s ACSC add that it is aware of reporting of active exploitation of both vulnerabilities.

And in light of the ASD’s ACSC Alert regarding multiple vulnerabilities impacting Jenkins products that could result in Remote Code Execution and Cross-site WebSocket hijacking, Rapid7’s Caitlin Condon, Director of Vulnerability Intelligence said, “Rapid7 Labs is taking a measured approach to the critical Jenkins RCE vulnerability because there are a number of constraints that make it difficult to weaponise for full code execution.”

“It’s possible that an unauthenticated attacker could find a way to compromise a Jenkins instance by exploiting CVE-2023-23897, but it would be a non-trivial attack; the adversary would have to take whatever information they’re able to leak and find a way to use it to further their objectives, such as exploiting the vulnerability to leak an encrypted password and then finding a way to decrypt it.”

“We also suspect that the various estimates of internet-exposed Jenkins instances may be artificially high, since it’s unlikely all internet-facing systems have exploitable configurations. Regardless, Rapid7 advises organisations to patch quickly since anything that can potentially expose secrets is a concern, as are potential targeted attacks by motivated adversaries,” said Condon.

Additionally, Rapid7 Principal Researcher Stephen Fewer has published a technical assessment of the critical Jenkins RCE vulnerability (CVE-2023-23897). Stephen’s analysis goes much more in depth.