A new Android malware distributed as an advertisement SDK has been discovered in multiple apps, many previously on Google Play and collectively downloaded over 400 million times. […]
Related Posts
Critical Jenkins Vulnerability Let Attackers Execute Remote Code
Critical Jenkins Vulnerability Let Attackers Execute Remote Code
[[{“value”:”
Jenkins is an open-source automation server that is based on Java used for continuous integration and continuous delivery processes. Threat actors target Jenkins due to its widespread use in software development pipelines.
The widespread use of it provides an opportunity for threat actors to exploit vulnerabilities and gain unauthorized access to sensitive data, allowing them to potentially disrupt and compromise software development workflows.
Recently, the researchers’ team at Jenkins uncovered a critical vulnerability that is tracked as “CVE-2024-23897,” with a CVSS score of 9.8 in Jenkins that enables threat actors to execute remote code.
AlertCVE-2024-23897 (CVSS 9.8): Critical Jenkins Security Vulnerability, RCE Possible
A critical vulnerability within Jenkins’ built-in command line interface (CLI), opens the door to arbitrary file reads through the CLI, potentially culminating in remote code execution… pic.twitter.com/smsW1QSyiH
— Hunter (@HunterMapping) January 25, 2024
Flaw Profile
CVE ID: CVE-2024-23897
CVSS score: 9.8
Severity: CRITICAL
Descriptions: Arbitrary file read vulnerability through the CLI can lead to RCE
SECURITY-3314
Critical Jenkins Vulnerability
Jenkins vulnerability arises from a default-enabled parser feature, ‘expandAtFiles,’ in CLI that impacts versions 2.441 and earlier.
Exploiting an arbitrary file reads the issue, and then the attackers can access the file system through the args4j library, which potentially compromises the system’s security.
Document
Run Free ThreatScan on Your Mailbox
AI-Powered Protection for Business Email Security
Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .
CVE-2023-23897 permits Overall/Read permission holders to read entire files, while others can access the first few lines based on CLI commands.
Reading binary files with cryptographic keys is possible with restrictions. Jenkins warns of potential RCE attacks that require access to cryptographic keys from binary files for execution.
The Jenkins team found a way to read the first three lines in recent releases without plugins. However, no identified plugins increase this line count at the moment.
The confirmed attacks include reading all files with a known path and leveraging attackers’ ability to get cryptographic keys from binary files.
Capabilities
Here below, we have mentioned all the capabilities that this critical flaw enables the attackers:-
Remote code execution via Resource Root URLs
Remote code execution via “Remember me” cookie
Remote code execution via stored cross-site scripting (XSS) attacks through build logs
Remote code execution via CSRF protection bypass
Decrypt secrets stored in Jenkins
Delete any item in the Jenkins
Download a Java heap dump
Besides this, the reading success relies on encoding with UTF-8 replacing half of the unreadable bytes, making it tough for attackers.
Windows-1252 replaces only 5 out of 256 values, significantly reducing the options. To identify and update Jenkins promptly to mitigate risks make sure to check file.encoding value in Manage Jenkins > System Info.
Other Flaws Detected
Here below, we have mentioned all the other vulnerabilities detected:-
CVE-2024-23898 with CVSS 8.8, is a cross-site WebSocket hijacking vulnerability in the CLI.
CVE-2024-23899 with CVSS 8.8, is an arbitrary file read vulnerability in Git server Plugin can lead to RCE.
CVE-2023-6148 with CVSS 8.0, is a stored XSS vulnerability in Qualys Policy Compliance Scanning Connector Plugin.
CVE-2024-23905 with CVSS 8.0, is a content-Security-Policy protection for user content disabled by Red Hat Dependency Analytics Plugin.
CVE-2024-23904 with CVSS 7.5, is an arbitrary file read vulnerability in Log Command Plugin.
CVE-2023-6147 with CVSS 7.1, is a XXE vulnerability in Qualys Policy Compliance Scanning Connector Plugin.
In Jenkins 2.442/LTS 2.426.3, the CVE-2024-23897 vulnerability has been fixed by disabling the command parser. Admins can undo by setting hudson.cli.CLICommand.allowAtSyntax to true, but it’s not advised, especially for open networks.
However, if the admin is unable to update Jenkins now, then as a workaround, they can temporarily block the CLI access.
The post Critical Jenkins Vulnerability Let Attackers Execute Remote Code appeared first on Cyber Security News.
“}]] Read More
Cyber Security News
CISA shares free tools to help secure data in the cloud
CISA shares free tools to help secure data in the cloud
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has shared a factsheet providing details on free tools and guidance for securing digital assets after switching to the cloud from on-premises environments. […] Read More
BleepingComputer