[Bug]: Jenkins critical CVE caused by built-in CLI vulnerabilities - mitigation method

[jordarlu]

Describe the bug

Jenkins Security Advisory 2024-01-24 described a critical CVE that applied to all Jenkins controller versions 2.441 and earlier.
The current CI Jenkins controller version is 2.387.1, and we can take the suggested steps from Jenkins to mitigate the issue for the time being.

To reproduce

This CVE is applicable to all Jenkins controller versions 2.441 and earlier.

Expected behavior

We can take the following steps suggested by Jenkins to mitigate issue:

Fix Description:
Jenkins 2.442, LTS 2.426.3 disables the command parser feature that replaces an @ character followed by a file path in an argument with the file’s contents for CLI commands.

In case of problems with this fix, disable this change by setting the Java system property hudson.cli.CLICommand.allowAtSyntax to true. Doing this is strongly discouraged on any network accessible by users who are not Jenkins administrators.

Workaround:
Disabling access to the CLI is expected to prevent exploitation completely. Doing so is strongly recommended to administrators unable to immediately update to Jenkins 2.442, LTS 2.426.3. Applying this workaround does not require a Jenkins restart. For instructions, see the documentation for this workaround. ( https://github.com/jenkinsci-cert/SECURITY-3314-3315/ )

also, refer to here (https://www.jenkins.io/doc/book/managing/groovy-hook-scripts/) to create init.groovy.d folder and palce the disable-cli.groovy

Screenshots

No response

Host / Environment

No response

Additional context

No response

Relevant log output

No response

[jordarlu]

close this issue as the PR has been merged.