Jenkins, the most widely deployed CI/CD automation server, disclosed a critical vulnerability in its CLI component (CVE-2024-23897) that allows attackers to read arbitrary files from the Jenkins controller. While classified as a file read vulnerability, our research demonstrates a reliable escalation path to remote code execution through credential extraction and API token abuse.
The args4j Parsing Flaw
The vulnerability lies in Jenkins' use of the args4j library for parsing CLI arguments. The library has a feature where any argument starting with @ is interpreted as a file path, and the file's contents are expanded inline as additional arguments. Jenkins' CLI endpoint exposes this functionality to unauthenticated users, meaning an attacker can read the first few lines of any file accessible to the Jenkins process.
The number of lines returned depends on the specific CLI command used; some commands return only the first line (sufficient for many secrets), while others return multiple lines through error messages that include the file content.
Escalation: From File Read to RCE
The critical escalation path involves reading Jenkins' internal credential stores. Key targets include credentials.xml (encrypted credentials), config.xml (security realm configuration), and user-specific config.xml files containing API tokens. By reading the master.key and hudson.util.Secret files, an attacker can decrypt all stored credentials, including SSH keys, cloud provider tokens, and deployment credentials.
With decrypted admin credentials or API tokens, the attacker gains full Jenkins access and can create or modify build jobs to execute arbitrary code on the controller or connected build agents.
Detection and YARA Rules
We have developed YARA rules and Suricata signatures to detect exploitation attempts targeting the Jenkins CLI endpoint. Key indicators include unexpected @ characters in CLI requests, access to the /cli endpoint from external IPs, and Jenkins process reading sensitive files outside normal operation patterns. Organizations should update to Jenkins 2.442+ or LTS 2.426.3+ immediately.