CVE-2024-43044 Overview
CVE-2024-43044 is an arbitrary file read vulnerability affecting Jenkins controllers. The flaw exists in the Remoting library used for agent-to-controller communication. Jenkins 2.470 and earlier, and LTS 2.452.3 and earlier, expose the ClassLoaderProxy#fetchJar method to agent processes. An attacker controlling a Jenkins agent can invoke this method to read arbitrary files from the controller file system. The issue is tracked as [CWE-754: Improper Check for Unusual or Exceptional Conditions].
Critical Impact
A compromised or malicious agent can read sensitive files from the Jenkins controller, including secrets, credentials, and configuration data that enable broader compromise of the build pipeline.
Affected Products
- Jenkins weekly versions 2.470 and earlier
- Jenkins LTS 2.452.3 and earlier
- Jenkins Remoting library used for agent communication
Discovery Timeline
- 2024-08-07 - Jenkins publishes Security Advisory 2024-08-07 as SECURITY-3430
- 2024-08-07 - CVE-2024-43044 published to NVD
- 2025-03-14 - Last updated in NVD database
Technical Details for CVE-2024-43044
Vulnerability Analysis
The Jenkins Remoting library implements the communication channel between the controller and its build agents. Within this channel, the controller exposes a ClassLoaderProxy object so agents can request class definitions and supporting JAR files needed to execute build tasks. The fetchJar method on this proxy returns the bytes of a requested JAR file to the calling agent.
The method does not restrict which files an agent can request through this interface. An agent can supply arbitrary file paths and receive the contents back across the Remoting channel. The expected trust boundary, in which the controller treats agents as semi-trusted but distinct security contexts, is therefore broken for file read operations.
Sensitive targets on a typical Jenkins controller include secrets/master.key, secrets/hudson.util.Secret, credentials.xml, job configuration files, and SSH keys. Reading these files allows an attacker to decrypt stored credentials and pivot to additional systems integrated with the build pipeline.
Root Cause
The root cause is missing validation in the ClassLoaderProxy#fetchJar method within the Remoting library. The method was intended to serve specific JAR resources required by agents but accepts arbitrary file references without enforcing a path allowlist or restricting access to the JAR cache directory.
Attack Vector
Exploitation requires control of a Jenkins agent process or the ability to connect a rogue agent to the controller. An attacker with valid agent credentials, or one who compromises an existing agent host, invokes ClassLoaderProxy#fetchJar over the Remoting protocol with a path to a sensitive file on the controller. The controller returns the file contents to the agent.
No separate user interaction is required on the controller. The vulnerability does not yield direct code execution, but credentials and secrets recovered from the controller commonly lead to full pipeline compromise. Technical specifics are documented in the Jenkins Security Advisory 2024-08-07.
Detection Methods for CVE-2024-43044
Indicators of Compromise
- Unexpected fetchJar or ClassLoaderProxy invocations originating from agents in Jenkins controller logs
- Agent connections from hosts that do not correspond to provisioned build infrastructure
- Access to or modification of secrets/, credentials.xml, or job config.xml files on the controller outside of normal administrative activity
- Outbound use of Jenkins-stored credentials from agent hosts rather than the controller
Detection Strategies
- Enable and review Jenkins audit logs for Remoting channel activity, focusing on class and JAR load requests from agents
- Compare the list of connected agents against the inventory of approved build hosts to identify rogue connections
- Monitor file system access on the controller for reads of JENKINS_HOME/secrets/ by the Jenkins service account triggered by agent sessions
Monitoring Recommendations
- Forward Jenkins controller and agent logs to a centralized SIEM for correlation with authentication and network telemetry
- Alert on Jenkins version banners exposing 2.470 or earlier and LTS 2.452.3 or earlier on internal networks
- Track usage of credentials stored in Jenkins from non-controller source IPs as a signal of secret exfiltration
How to Mitigate CVE-2024-43044
Immediate Actions Required
- Upgrade Jenkins controllers to weekly 2.471 or later, or LTS 2.452.4 or 2.462.1 or later, as listed in the Jenkins security advisory
- Rotate all credentials stored in Jenkins, including SSH keys, API tokens, and cloud provider secrets, after patching
- Audit the list of agents authorized to connect and remove any unused or unrecognized entries
- Restrict network access to the Jenkins controller so only known agent hosts can reach the Remoting port
Patch Information
Jenkins addressed the issue by restricting ClassLoaderProxy#fetchJar to the intended JAR cache. Fixed versions are published in Jenkins Security Advisory 2024-08-07 (SECURITY-3430). Administrators should apply the upgrade to both the controller and the bundled Remoting library distributed to agents.
Workarounds
- No supported configuration workaround exists; upgrading the controller and Remoting library is required
- As a temporary compensating control, isolate the Jenkins controller on a dedicated network segment and limit agent connections to trusted, hardened hosts
- Run agents under least-privilege accounts and avoid storing high-value credentials on the controller until patching is complete
# Verify the running Jenkins version on the controller
curl -sI http://jenkins.example.local/ | grep -i '^X-Jenkins:'
# Example LTS upgrade on a Debian-based controller
sudo systemctl stop jenkins
sudo apt-get update
sudo apt-get install --only-upgrade jenkins
sudo systemctl start jenkins
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
