Governance & Risk Management , Patch Management

Jenkins Servers Used for CI/CD Contain Critical RCE Flaw

Approximately 45,000 Vulnerable Servers Worldwide
Jenkins Servers Used for CI/CD Contain Critical RCE Flaw
Hacker are searching for vulnerable Jenkins servers. (Image: Jenkins Project)

Hackers are scanning the internet looking for vulnerable instances of the Jenkins server used by software developers for continuous integration and continuous delivery in automating development.

See Also: Cyber Hygiene and Asset Management Perception vs. Reality

There are approximately 45,000 exposed Jenkins servers susceptible to a critical remote code execution flaw that has multiple public proof-of-concept exploits circulating on the open internet, the Shadowserver Foundation tweeted. Most of the vulnerable servers are in China, and the United States comes in second.

The Shadowserver Foundation isn't the only organization looking for vulnerable servers. "Our honeypots see someone is mass-scanning and exploiting Jenkins CLI endpoints," tweeted a researcher.

The Jenkins project, which maintains the open-source automation server software, published a security alert Feb. 24 warning users that attackers could exploit a feature in the command line parser to obtain file contents.

Specifically, the command line interface uses the args4j library, which returns file contents when parsing an argument starting with the @ character followed by a file path. Jenkins versions 2.442 and LTS 2.426.3 patch the flaw, although the project said administrators can also disable access to the command line interface.

Attackers who already have overall/read permission can read entire files. Attackers without that permission can still get the first few lines of a file. The flaw is tracked as CVE-2023-23897.

Jenkins amounts to an estimated 44% of the CI/CD market. Security researchers warned of multiple working exploits for CVE-2023-23897.

Several validated POCs are available, allowing attackers to grab scripts for minimal or no modification when scanning for exposed servers.

"Attackers could leverage this vulnerability, by reading Jenkins secrets, to escalate privileges to admin and eventually execute arbitrary code on the server," said the SonarSource researchers who discovered the vulnerability.

SonarSource found a second Jenkins vulnerability tracked as CVE-2024-23898. It is a cross-site WebSocket hijacking vulnerability. Since unpatched Jenkins command line interfaces lack an origin check, any website could potentially use WebSocket to perform actions in Jenkins as if they were the user. The method is similar to how some security vulnerabilities, such as cross-site request forgery, work, the researchers said.

About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.