Excessive Expansion Vulnerabilities Leave Jenkins Servers Open to Attacks

The Jenkins Security team was notified of the reported issues in November 2023, which were confirmed and fixed by the vendor the same month and fixed in January 2024.

Sonar’s Vulnerability Research Team has discovered security vulnerabilities in Jenkins, an open-source CI/CD software. These vulnerabilities, which the company refers to as ‘Excessive Expansion,’ allow unauthorized attackers to read and execute arbitrary code on the server, potentially escalating privileges to admins.

For your information, Jenkins is a popular automation server used to automate the software development lifecycle, with a market share of 44% in 2023. The potential impact of security vulnerabilities on end-users is, therefore, significant.

Two vulnerabilities were identified in Jenkins software tracked as CVE-2024-23897 and CVE-2024-23898. The first leverages the “expandAtFiles” functionality to allow arbitrary file reading and code execution, and the second allows arbitrary command execution by manipulating users to visit malicious links.

The vulnerabilities stem from the way Jenkins handles user-supplied data. CVE-2024-23897 allows unauthorized adversaries with “overall/read” permission to read arbitrary files on the Jenkins controller file system. However, even without these permissions, they can read the first few lines of files due to the built-in command line interface (CLI) that uses the args4j library to parse command arguments and options on the Jenkins controller.

This allows attackers to expand arguments from a file on the Jenkins instance and potentially leak file contents. The default character encoding allows attackers with Overall/Read permission to read entire files, and those without the permission can read the first few lines. Unfortunately, this feature is enabled by default, and disabling it isn’t an option in Jenkins 2.441 and LTS 2.426.2 or earlier versions.

Unauthenticated attackers can access the system with Read permission if they meet certain conditions, including enabling legacy mode authorization, signup feature, and “Allow anonymous read access” configuration. This allows users to access the basic Jenkins API, object APIs, people directory, and agents, while administrators can access everything on a Jenkins instance. Researchers successfully read files without plugins, but couldn’t identify plugins that can increase line count.

CVE-2024-23898 is a high-severity, cross-site WebSocket hijacking (CSWSH) vulnerability, which allows attackers to execute CLI commands by manipulating victims to click on links. Modern web browsers, like Safari and Firefox, have a “lax by default” policy to protect against a vulnerability but it isn’t strictly enforced.

Due to potential bypass techniques and outdated browsers, this vulnerability is assigned a High severity classification. Browsers don’t enforce SOP and CORS policies on WebSockets, as they work over WS(WebSocket) or WSS(WebSocketSecure) protocols. WebSockets can be used by any website to invoke Jenkins-CLI commands with the victim’s identity, similar to CSRF vulnerabilities without Jenkins-crumb or Origin header check.

The Jenkins Security team was notified of the reported issues in November 2023, which were confirmed and fixed by the vendor the same month and fixed in January 2024. The vendor fixed CVE-2024-23897 and CVE-2024-23898 by enabling secure configuration and origin verification for WebSocket endpoints, allowing administrators to override the default behaviour. Developers/users must immediately apply patches released in Jenkins versions 2.442 and LTS 2.426.3.

For insights, we reached out to John Gallagher, Vice President of Viakoo Labs at Viakoo who stated that “The urgency behind users patching their Jenkins servers immediately is driven by POC exploits already being published on GitHub, and the severity level is extremely high.”

“With this CVE, agile development teams using Jenkins are ideal vehicles for introducing and spreading vulnerabilities; that’s the real risk here. If successful, threat actors could use this exploit to infect many independent software distributions,” John explained.

“As with many open-source projects, patching is difficult because the size of teams using it tends to be small, their time pressure being agile is great, and there may be a false belief that other layers of security will offer protection. Having an accurate application inventory and automated patching solutions will reduce the time that threat actors can exploit this CVE,” he warned.

1. Ivanti VPN Zero-Day Flaws Fuel Widespread Cyber Attacks
2. Hackers can hijack your Bosch Thermostat and Install Malware
3. Critical “PixieFail” Flaws Expose Millions of Devices to Cyberattacks
4. TeamViewer Exploited to Obtain Remote Access, Deploy Ransomware
5. Windows Defender SmartScreen Flaw Exploited with Phemedrone Stealer