CVE-2024-23897: 
Java vulnerability analysis and mitigation

Jenkins 2.441 and earlier, LTS 2.426.2 and earlier contains a critical vulnerability (CVE-2024-23897) in its Command Line Interface (CLI) that allows unauthenticated attackers to read arbitrary files on the Jenkins controller file system. The vulnerability was discovered by Yaniv Nizry of SonarSource and disclosed on January 24, 2024. The issue stems from a feature in the CLI command parser that replaces an '@' character followed by a file path with the file's contents (Jenkins Advisory, SonarSource Blog).

The vulnerability exists in Jenkins' use of the args4j library to parse command arguments. When processing CLI commands, the parser has a feature called 'expandAtFiles' that automatically replaces an '@' character followed by a file path with that file's contents. This feature is enabled by default in vulnerable versions. The severity is rated as Critical with a CVSS score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Attackers with Overall/Read permission can read entire files, while those without such permission can read the first few lines, depending on available CLI commands. The vulnerability is particularly concerning on Windows systems where the default character encoding (Windows-1252) makes it more feasible to read binary files containing cryptographic keys (Jenkins Advisory, Horizon3 Analysis).

The vulnerability's impact is severe, potentially leading to remote code execution through multiple attack paths. These include exploitation via Resource Root URLs, 'Remember me' cookie forgery, stored XSS attacks through build logs, CSRF protection bypass, and the ability to decrypt secrets stored in Jenkins. Attackers can also potentially delete Jenkins items and download Java heap dumps of the Jenkins controller or agent processes. The vulnerability affects both confidentiality, integrity, and availability of the system (Jenkins Advisory).

The vulnerability has been fixed in Jenkins 2.442, LTS 2.426.3, and LTS 2.440.1. The fix disables the command parser feature that replaces '@' character followed by file paths. For administrators unable to update immediately, a temporary workaround is available by disabling access to the CLI completely. This can be done without requiring a Jenkins restart. In case of problems with the fix, administrators can set the Java system property hudson.cli.CLICommand.allowAtSyntax to true, though this is strongly discouraged on networks accessible by non-administrators (Jenkins Advisory).

The security community has responded with high concern to this vulnerability, particularly due to its critical severity and the widespread use of Jenkins in CI/CD pipelines. The Jenkins security team has revised their approach to arbitrary file read vulnerabilities, now considering them to have high impact across all metrics (confidentiality, integrity, and availability) based on this incident (Jenkins Advisory).