Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.town/notes/9owus0nttnw96wnt">Taggart :donor: (mttaggart@infosec.town)'s status on Thursday, 25-Jan-2024 23:58:58 JST</a><a href="https://infosec.town/@mttaggart" title="mttaggart@infosec.town"><img src="https://gnusocial.jp/theme/gnusocialjp/default-avatar-stream.png" width="48" height="48" alt="Taggart :donor:" style="position: absolute; left: 0; top: 0;">Taggart :donor:</a></section><article><p>Good morning! Have a fairly gnarly RCE in <a href="https://infosec.town/tags/Jenkins" rel="tag">#Jenkins</a>: Jenkins uses the args4j library to parse command arguments and options on the Jenkins controller when processing CLI commands. This command parser has a feature that replaces an @ character followed by a file path in an argument with the file’s contents (expandAtFiles). This feature is <b>enabled by default</b> and Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable it.<a href="https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314">www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314</a><br><br><a href="https://infosec.town/tags/CVE_2024_23897" rel="tag">#CVE_2024_23897</a></p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/2632938#notice-5215868">In conversation</a><time datetime="2024-01-25T23:58:58+09:00" title="Thursday, 25-Jan-2024 23:58:58 JST">Thursday, 25-Jan-2024 23:58:58 JST</time> <span>from <span><a href="https://infosec.town/notes/9owus0nttnw96wnt" rel="external" title="Sent from infosec.town via ActivityPub">infosec.town</a></span></span><a href="https://infosec.town/notes/9owus0nttnw96wnt">permalink</a><h4>Attachments</h4><ol><li><label><a rel="external" href="https://gnusocial.jp/attachment/2162523">Untitled attachment</a></label><br></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Taggart :donor: (mttaggart@infosec.town)'s status on Thursday, 25-Jan-2024 23:58:58 JST Taggart :donor:
Good morning! Have a fairly gnarly RCE in #Jenkins: Jenkins uses the args4j library to parse command arguments and options on the Jenkins controller when processing CLI commands. This command parser has a feature that replaces an @ character followed by a file path in an argument with the file’s contents (expandAtFiles). This feature is enabled by default and Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable it.www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314

#CVE_2024_23897
In conversationThursday, 25-Jan-2024 23:58:58 JST from infosec.townpermalink
Attachments
1. Untitled attachment

Public

Embed Notice

HTML Code

Corresponding Notice