Numerous cybersecurity researchers have already released their proof-of-concept exploits for a critical vulnerability impacting open-source automation server Jenkins on GitHub, reports BleepingComputer.
Attackers with "overall/read" permissions could leverage the flaw, tracked as CVE-2024-23897, to facilitate data reading from the server's arbitrary files, according to SonarSource researchers, who discovered the issue alongside a cross-site WebSocket hijacking bug in the platform, tracked as CVE-2024-23897.
"Achieving code execution from arbitrary file read is dependent on the context," said researchers, who added that threat actors could potentially compromise SSH keys, project secrets and credentials, source code, and build artifacts, among others.
Both security flaws have already been addressed but potential exploitation may already be underway, as indicated by malicious activity detected by Jenkins honeypots. Threat actors could also easily use the mostly validated PoC exploits to initiate malicious activities.