Name of the Vulnerable Software and Affected Versions:
Jenkins versions 2.441 and earlier, including LTS 2.426.2 and earlier.
Description:
Jenkins is vulnerable to an arbitrary file read vulnerability through its command line interface (CLI). This flaw stems from the args4j library's expandAtFiles feature, which is enabled by default. An unauthenticated attacker can exploit this vulnerability to read arbitrary files on the Jenkins controller file system. In some cases, this can lead to the exposure of sensitive information, including cryptographic keys, potentially enabling remote code execution. Multiple proof-of-concept (PoC) exploits have been released and are actively being exploited in the wild, with reports of ransomware attacks leveraging this vulnerability. CISA has added this vulnerability to its Known Exploited Vulnerabilities catalog, mandating federal agencies to address it by September 9, 2024. The vulnerability allows attackers to read files without authentication, and in some cases, read the first few lines of files even without overall read permissions.
Recommendations:
Jenkins versions 2.441 and earlier, including LTS 2.426.2 and earlier, are vulnerable. Upgrade to version 2.442 or LTS 2.426.3 or later to address this vulnerability. If upgrading is not immediately possible, disable access to the Jenkins CLI.