A pair of security vulnerabilities have been discovered in Jenkins, a popular open-source automation server, that could allow attackers to read arbitrary files from the Jenkins controller file system and potentially lead to remote code execution (RCE).

Jenkins is a popular open-source automation server that automates the software development lifecycle, including building, testing, and deploying code. It compiles and packages code into executable files, allowing developers to run automated tests and ensure their code works as expected. Then, it automatically deploys it to production environments.

Remote Code Execution is a type of security vulnerability that allows an attacker to execute arbitrary code on a remote system, such as a server or computer, without physical access. This can lead to unauthorized access, data theft, and system compromise.

In the context of the Jenkins vulnerability, RCE could allow an attacker to run malicious code on the Jenkins server, potentially leading to a complete system takeover.

Arbitrary File Read Vulnerability (CVE-2024-43044)

The first vulnerability, identified as SECURITY-3430, affects Jenkins versions 2.470 and earlier, as well as LTS versions 2.452.3 and earlier. The issue lies in the Remoting library, which allows agents to load classes and resources from the controller.

The library’s implementation of ClassLoaderProxy#fetchJar does not restrict paths that agents can request to read from the controller file system, allowing attackers with Agent/Connect permission to read arbitrary files.

“This is a critical vulnerability as the information obtained can be used to increase access up to and including remote code execution (RCE).” Jenkins said.

Daniel Beck, CloudBees, Inc., discovered this vulnerability for SECURITY-3349 and is considered critical, as the information obtained can be used to increase access up to and including RCE. The Jenkins project has released a fix for this vulnerability in versions 2.471, LTS 2.452.4, and LTS 2.462.1.

Download Free Cybersecurity Planning Checklist for SME Leaders (PDF) – Free Download

Missing Permission Check Vulnerability (CVE-2024-43045)

The second vulnerability, identified as SECURITY-3349, affects Jenkins versions 2.470 and earlier and LTS versions 2.452.3 and earlier.

The issue lies in an HTTP endpoint that does not perform a permission check. This allows attackers with Overall/Read permission to access other users’ “My Views.” Attackers with global View/Configure and View/Delete permissions can also change other users’ “My Views.”

Jiangchenwei (Nebulalab) and Yangyue (Nebulalab) discovered this vulnerability for SECURITY-3430. It is considered medium-severity and has been fixed in Jenkins versions 2.471, LTS 2.452.4, and LTS 2.462.1.

To address the vulnerabilities, it is recommended that Jenkins users update their installations to the latest versions. Specifically, Jenkins weekly should be updated to version 2.471, while Jenkins LTS should be updated to version 2.452.4 or 2.462.1.

These updated versions include fixes for the vulnerabilities described above, and all prior versions are considered to be affected unless otherwise indicated.

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access