Skip to main content
Sonar.tv
Back
Excessive Expansion: Uncovering Critical Security Vulnerabilities in JenkinsNow Playing

Excessive Expansion: Uncovering Critical Security Vulnerabilities in Jenkins

Code SecurityMarch 13th 20241:16Part of SCSE

A technical demonstration of an excessive expansion vulnerability found in Jenkins, showing how SonarQube's deep SAST detects dangerous code patterns that traditional security scanners miss.

Overview

Jenkins, the widely-used open-source automation server for building, deploying, and automating software projects, has recently become the subject of urgent security concerns. Sonar's vulnerability research team has uncovered two critical security vulnerabilities that pose significant risks to Jenkins installations worldwide. These discoveries highlight the importance of timely security updates and vigilant monitoring of widely-deployed development tools.

CVE-2024-23897: Arbitrary File Read Vulnerability

The first identified vulnerability, tracked as CVE-2024-23897, represents a critical threat to Jenkins security. This vulnerability allows unauthenticated attackers to gain limited read capabilities of archive files, while authorized attackers can read entire arbitrary files from the Jenkins server. Depending on the context and nature of the files accessed, these arbitrary read capabilities could potentially lead to remote code execution (RCE) attacks, making this vulnerability particularly dangerous for organizations relying on Jenkins for their development pipelines.

CVE-2024-23898: Command Execution Through Social Engineering

The second vulnerability, identified as CVE-2024-23898, presents a different but equally severe threat vector. This vulnerability enables attackers to execute arbitrary commands as the victim by manipulating users into visiting a malicious link. As demonstrated in the research, the attack can trigger malicious code execution in the background even when legitimate users are signed in as administrators, making it an effective social engineering attack that could compromise entire Jenkins infrastructures.

Remediation and Updates

Both vulnerabilities have been addressed in recent Jenkins releases. Organizations running Jenkins are advised to upgrade to version 2.441 or the LTS version 2.426.3 or later to mitigate these security risks. The fixes represent critical security patches that should be prioritized for immediate deployment across all Jenkins installations.

Key Takeaways

  • Two critical vulnerabilities (CVE-2024-23897 and CVE-2024-23898) have been discovered in Jenkins by Sonar's research team
  • CVE-2024-23897 allows unauthenticated attackers to read arbitrary files and potentially achieve remote code execution
  • CVE-2024-23898 enables attackers to execute arbitrary commands through social engineering tactics
  • Immediate upgrades to Jenkins 2.441 or LTS 2.426.3 or later are essential for protecting Jenkins deployments
  • Organizations should prioritize security updates and implement access controls to minimize exploitation risk