Lucene search

K
cvelistJenkinsCVELIST:CVE-2024-23897
HistoryJan 24, 2024 - 5:52 p.m.

CVE-2024-23897

2024-01-2417:52:22
jenkins
www.cve.org
cve-2024-23897
jenkins
cli parser
unauthenticated attackers
file system

9.7 High

AI Score

Confidence

High

0.961 High

EPSS

Percentile

99.5%

Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an β€˜@’ character followed by a file path in an argument with the file’s contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.

CNA Affected

[
  {
    "defaultStatus": "affected",
    "product": "Jenkins",
    "vendor": "Jenkins Project",
    "versions": [
      {
        "lessThan": "1.606",
        "status": "unaffected",
        "version": "0",
        "versionType": "maven"
      },
      {
        "lessThan": "*",
        "status": "unaffected",
        "version": "2.442",
        "versionType": "maven"
      },
      {
        "lessThan": "2.426.*",
        "status": "unaffected",
        "version": "2.426.3",
        "versionType": "maven"
      },
      {
        "lessThan": "2.440.*",
        "status": "unaffected",
        "version": "2.440.1",
        "versionType": "maven"
      }
    ]
  }
]