A significant vulnerability in Jenkins’ built-in command line interface (CLI) allows attackers to get cryptographic keys, which can then be exploited to remotely execute arbitrary code.
The issue, identified as CVE-2024-23897, affects Jenkins 2.441 and older, as well as LTS 2.426.2 and earlier, because the command parser (the args4j library) contains a feature that replaces a ‘@’ character followed by a file path in an argument with the file’s content. “This allows attackers to read arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process,” according to the advisory released by Jenkins.
Authenticated attackers, including those with ’read-only’ access, can view the whole contents of the file.
Read More: Critical Jenkins Vulnerability Leads to Remote Code Execution
For more such updates follow us on Google News ITsecuritywire News. Please subscribe to our Newsletter for more updates.
