Updated:
Status:
CVEs:
Fortra is researching a vulnerability in Jenkins’ built-in command line interface (CLI). This vulnerability, CVE-2024-23897, could allow an unauthenticated attacker with Overall/Read permission to read arbitrary files on the Jenkins controller file system. Customers are recommended to update to Jenkins 2.442, LTS 2.426.3.
Who is affected?
Versions prior to Jenkins 2.441, LTS 2.426.2 are vulnerable to CVE-2024-23897.
What can I do?
Customers are recommended to update to Jenkins 2.442, LTS 2.426.3 as soon as possible. If you are not able to update immediately, disabling access to the CLI until you are able to perform the update is expected to prevent exploitation. For more information, refer to Jenkins’ security advisory.
How is Fortra helping me?
Fortra is actively researching this threat to build detection capabilities in addition to those listed below.
Alert Logic Vulnerability Scanning: Alert Logic released authenticated scan coverage to identify vulnerable instances. If the vulnerability is found, an exposure will be raised for CVE-2024-23897.
Alert Logic Network IDS: Alert Logic has released new, specific IDS signatures to aid in detection research; existing telemetry and generic signatures began alerting for exploit attempts beginning January 26, 2024.
Alert Logic Log Management: Alert Logic has deployed and is actively monitoring log telemetry related to known IOCs.
Core Impact: On February 28, 2024, an exploit for Jenkins was delivered to Core Impact customers - "Jenkins CLI Arbitrary File Read Exploit" CVE-2024-23897 CVSS 7.5. Jenkins 2.441 and earlier, LTS 2.426.2 and earlier, does not disable a feature of its CLI command parser. This exploit replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system. This exploit release was tested against Jenkins 2.426.2 for Windows and Linux.
Fortra VM: On March 8, 2024, Fortra VM released a new unauthenticated check for CVE-2024-23897: Jenkins Arbitrary File Read (158774) via Network Scanner 4.37.0.
Tripwire: Tripwire released unauthenticated scan coverage on February 7, 2024, to identify vulnerable instances. If the vulnerability is found, vulnerability 603763 will match for CVE-2024-23897.
Updates
Fortra has kicked off the Emerging Threat process for this vulnerability. This article will be updated with new information about this vulnerability and related Fortra coverage as it becomes available.
