CVE-2024-23897

CVSS 9.8 CRITICALEPSS 100.0%● KEVCWE-27

In short

Jenkins allows unauthenticated attackers to read any file on the server by using a special '@' character in CLI commands, which tells the system to load file contents instead of treating it as text.

Technical detail

The CLI argument parser in Jenkins versions 2.441 and earlier interprets '@<filepath>' syntax to load file contents, allowing unauthenticated remote file read attacks via command injection on the CLI interface. This requires network access to the Jenkins CLI port but no authentication, enabling disclosure of sensitive configuration and credential files.

Summary generated and translated by AI from the official description.

Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

Jenkins Project · Jenkins

public PoCs found — 45

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://packetstormsecurity.com/files/176839/Jenkins-2.441-LTS-2.426.3-CVE-2024-23897-Scanner.html http://packetstormsecurity.com/files/176840/Jenkins-2.441-LTS-2.426.3-Arbitrary-File-Read.html https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-23897 https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314 https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/https://www.vicarius.io/vsociety/posts/the-anatomy-of-a-jenkins-vulnerability-cve-2024-23897-revealed-1 http://www.openwall.com/lists/oss-security/2024/01/24/6