Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.
The Jenkins CLI command parser contains a function that automatically replaces the '@' character preceding a file path with the contents of that file. This mechanism is not disabled for unauthenticated users, allowing an attacker to craft a CLI request containing an argument in the form '@/path/to/file'. In response, the server returns the contents of the specified file from the Jenkins controller file system, without requiring any permissions.
An attacker can read any files accessible to the Jenkins process, including configuration files, SSH keys, secrets, API tokens and credentials, which can ultimately lead to complete takeover of the CI/CD environment.
Jenkins must be updated to version 2.442 or newer (weekly) or to LTS version 2.426.3 or newer. Patch details are available in the official Jenkins security advisory: https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314
Jenkins in version 2.441 and earlier; Jenkins LTS in version 2.426.2 and earlier
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HJenkins
APPJenkins< 2.426.3< 2.442
CISA KEV — detailsi
- Vendori
- Jenkins
- Producti
- Jenkins Command Line Interface (CLI)
- Added to KEVi
- August 19, 2024
- Remediation deadline (US Federal)i
- September 9, 2024(overdue)
- Ransomwarei
- Active ransomware campaigns exploit this vulnerability
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Jenkins Command Line Interface (CLI) contains a path traversal vulnerability that allows attackers limited read access to certain files, which can lead to code execution.
Related vulnerabilities
A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.13...
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remot...
Jenkins 2.270 through 2.393 (both inclusive), LTS 2.277.1 through 2.375.3 (both inclusive) does not escape the...
Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not check agent-to-controller access to create parent ...
Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not check agent-to-controller access to create symboli...