NAVANEM
CVE-2024-23897⚡ exploited in the wild

Jenkins, CLI arbitrary file read leading to RCE

Jenkins uses the args4j library to parse command arguments and options on the Jenkins controller when processing CLI commands. This command parser has a feature that replaces an @ character followed by a file path in an argument with the file's contents (expandAtFiles). This feature is enabled by default.

Overview

CVE-2024-23897 is a critical arbitrary file read vulnerability in Jenkins CLI that can lead to remote code execution (RCE). The vulnerability exists in how Jenkins processes CLI commands using the args4j library, which has a feature that automatically expands arguments beginning with @ followed by a file path into the contents of that file. This feature is enabled by default and lacks sufficient access controls, allowing unauthenticated users to read arbitrary files accessible to the Jenkins process.

Technical Details

Jenkins CLI accepts commands via WebSocket or HTTP endpoints and parses them using the args4j library on the Jenkins controller. The expandAtFiles feature in args4j replaces any argument formatted as @/path/to/file with the actual contents of the specified file.

An unauthenticated attacker with access to the CLI endpoint can exploit this behavior to read sensitive files, including:

  • secrets/master.key - the encryption key for all Jenkins secrets
  • secrets/hudson.util.Secret - additional cryptographic material

With access to these files, an attacker can decrypt every credential stored in Jenkins, including SSH keys, cloud provider tokens, Active Directory bind credentials, and Docker registry passwords. These decrypted credentials enable escalation to full remote code execution through various Jenkins plugins and pipeline configurations.

Impact

The impact of this vulnerability is severe. Jenkins is the dominant on-premises CI/CD server, and compromise leads to:

  • Complete credential exposure: All stored secrets can be decrypted
  • Supply chain attacks: Poisoned builds and signed malicious artifacts
  • Lateral movement: Access to source repositories, cloud infrastructure, and internal networks
  • Ransomware deployment: Trend Micro documented multiple ransomware groups, including IntelBroker affiliates, actively exploiting this vulnerability

Mass exploitation began within one week of the January 24, 2024 advisory, with hundreds of public Jenkins instances compromised.

Mitigation

  1. Patch immediately: Update to Jenkins 2.442 (weekly) or LTS 2.426.3 or later
  2. Workaround: If patching is delayed, disable CLI access entirely or restrict it to localhost
  3. Credential rotation: Treat all stored credentials as compromised on any Internet-exposed Jenkins instance during January 2024 and rotate every secret
  4. Audit configurations: Review recent build configurations and pipeline scripts for malicious modifications

Detection

Organizations should audit Jenkins access logs for unusual CLI requests, particularly those containing @ characters followed by file paths. Monitor for unexpected file access patterns on the Jenkins controller, especially reads of files in the secrets/ directory. Review authentication logs for credential usage that may indicate stolen secrets being leveraged elsewhere in the environment.