Improper Access Control Affecting org.jenkins-ci.main:jenkins-core package, versions [,2.426.3) [2.427,2.440.1) [2.441,2.442)
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGJENKINSCIMAIN-6190606
- published 28 Jan 2024
- disclosed 24 Jan 2024
- credit Yaniv Nizry
Introduced: 24 Jan 2024
CVE-2024-23897 Open this link in a new tabHow to fix?
Upgrade org.jenkins-ci.main:jenkins-core to version 2.426.3, 2.440.1, 2.442 or higher.
Overview
org.jenkins-ci.main:jenkins-core is an open source automation server.
Affected versions of this package are vulnerable to Improper Access Control via the CLI command parser. An attacker can read arbitrary files on the Jenkins controller file system by supplying an '@' character followed by a file path in an argument.
Notes:
Attackers with Overall/Read permission can read entire files.
Attackers without Overall/Read permission can read the first few lines of files. The number of lines that can be read depends on available CLI commands.
Workaround
Disabling access to the CLI is expected to prevent exploitation completely. Doing so is strongly recommended to administrators unable to immediately update to Jenkins 2.442, LTS 2.426.3. Applying this workaround does not require a Jenkins restart. For instructions, see the documentation for this workaround.