Back to KEVs

CVE-2024-23897

Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by...

Basic Information

CVE State: PUBLISHED
Reserved Date: January 23, 2024
Published Date: January 24, 2024
Last Updated: August 19, 2024
Vendor: Jenkins Project
Product: Jenkins
Description: Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.

CVSS Scores

CVSS v3.1

9.8 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC Information

Exploitation: active
Automatable: Yes
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (added 2024-08-19 00:00:00 UTC) Source
Proof of Concept Available: Yes (added 2024-02-07 15:07:37 UTC) Source
Used in Malware: Yes (added 2024-08-19 00:00:00 UTC) Source

References

https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314 https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/ http://www.openwall.com/lists/oss-security/2024/01/24/6 http://packetstormsecurity.com/files/176839/Jenkins-2.441-LTS-2.426.3-CVE-2024-23897-Scanner.html http://packetstormsecurity.com/files/176840/Jenkins-2.441-LTS-2.426.3-Arbitrary-File-Read.html

Known Exploited Vulnerability Information

Source	Added Date
CISA	2024-08-19 00:00:00 UTC

Scanner Integrations

Scanner	URL	Date Detected
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/javascript/cves/2024/CVE-2024-23897.yaml	2025-04-26 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

verylazytech/CVE-2024-23897

Type: github • Created: 2024-09-30 16:38:28 UTC • Stars: 8

POC - Jenkins File Read Vulnerability - CVE-2024-23897

Maalfer/CVE-2024-23897

Type: github • Created: 2024-05-16 09:32:51 UTC • Stars: 8

Poc para explotar la vulnerabilidad CVE-2024-23897 en versiones 2.441 y anteriores de Jenkins, mediante la cual podremos leer archivos internos del sistema sin estar autenticados

mil4ne/CVE-2024-23897-Jenkins-4.441

Type: github • Created: 2024-05-08 02:28:46 UTC • Stars: 5

ThatNotEasy/CVE-2024-23897

Type: github • Created: 2024-02-19 02:29:12 UTC • Stars: 2

Perform with massive Jenkins Reading-2-RCE

godylockz/CVE-2024-23897

Type: github • Created: 2024-02-16 07:16:04 UTC • Stars: 26

POC for CVE-2024-23897 Jenkins File-Read

Praison001/CVE-2024-23897-Jenkins-Arbitrary-Read-File-Vulnerability

Type: github • Created: 2024-02-07 15:07:37 UTC • Stars: 3

Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.