- Nearly 45,000 instances of the open-source automation server Jenkins remain exposed and vulnerable to exploitation to a CVE disclosed last week, according to Shadowserver data.
- Jenkins disclosed and detailed the patch of the critical vulnerability, CVE-2024-23897, in a security advisory on Wednesday. The arbitrary file read vulnerability in the command line interface in Jenkins can be exploited by threat actors to achieve remote code execution, Jenkins security team said.
- Sonar researchers discovered the vulnerability in the CI/CD software and detailed multiple ways threat actors could exploit the CVE to escalate privileges and remotely execute code on the server.
Security researchers are especially concerned about the critical vulnerability in Jenkins because of its broad application.
The open source software has a roughly 44% share of the CI/CD market with an estimated 11 million developers globally, according to the Linux Foundation’s Continuous Delivery Foundation initiative.
Jenkins administrators are strongly encouraged to immediately update to Jenkins 2.442. Organizations that cannot immediately update to the latest version should disable access to the command line interface, which is expected to completely prevent exploitation, according to Jenkins’ advisory.
The open source community also shared steps for organizations to check if their instances are likely affected by the most severe impacts of the CVE.