cbcvebase.
CVE-2024-43044
published 2024-08-07

CVE-2024-43044: Jenkins 2.470 and earlier, LTS 2.452.3 and earlier allows agent processes to read arbitrary files from the Jenkins controller file system by using the…

PriorityP267high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
28.78%
97.9th percentile
Jenkins 2.470 and earlier, LTS 2.452.3 and earlier allows agent processes to read arbitrary files from the Jenkins controller file system by using the `ClassLoaderProxy#fetchJar` method in the Remoting library.

Affected

5 ranges
VendorProductVersion rangeFixed in
jenkinsjenkins< 2.452.42.452.4
jenkinsjenkins< 2.4712.471
jenkinsjenkins_core
jenkinsjenkins_lts
jenkinsjenkins_weekly

Detection & IOCsextracted from sources · hover to see the quote

otherClassLoaderProxy#fetchJar
otherhudson.remoting.Channel.DISABLE_JAR_URL_VALIDATOR=true
otherjenkins.security.s2m.JarURLValidatorImpl.REJECT_ALL=true
  • Monitor for agent processes invoking ClassLoaderProxy#fetchJar with paths outside of core/plugin classloader scope, which indicates exploitation of arbitrary file read on the Jenkins controller.
  • Alert on Agent/Connect permission holders initiating unusual file retrieval requests via the Remoting channel, as this permission is sufficient to exploit the vulnerability.
  • Flag any Jenkins controller running Remoting 3256.v88a_f6e922152 and earlier (excluding backport versions 3206.3208.v409508a_675ff and 3248.3250.v3277a_8e88c9b_) as vulnerable to this arbitrary file read via ClassLoaderProxy#fetchJar.
  • Treat exploitation of this vulnerability as a potential RCE precursor; correlate arbitrary file reads (e.g., credentials, secrets) from the Jenkins controller with subsequent privilege escalation activity.
  • Detect if the Java system property hudson.remoting.Channel.DISABLE_JAR_URL_VALIDATOR is set to true on the controller, which disables the CVE-2024-43044 path validation fix and re-exposes the vulnerability.
  • ·The fix (path restriction in ClassLoaderProxy#fetchJar) only needs to be present on the controller; agents running older Remoting versions remain safe once the controller is patched.
  • ·Setting hudson.remoting.Channel.DISABLE_JAR_URL_VALIDATOR=true on the controller re-enables the vulnerable code path and should only be used if agent code is as trusted as Jenkins administrators.
  • ·Setting jenkins.security.s2m.JarURLValidatorImpl.REJECT_ALL=true fully blocks ClassLoaderProxy#fetchJar but may break plugin functionality (bouncycastle API, Groovy, Ivy, TeamConcert) on agents running older Remoting versions.
  • ·The binary-data encoding limitation that partially mitigated SECURITY-3314 does NOT apply here; all file content is fully readable via this attack path.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vendor_oracle8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.