CVE-2024-23897

2024-01-2417:52:22

jenkins

github.com

jenkins

cve-2024-23897

security vulnerability

cli command parser

unauthenticated attackers

file system

AI Score

9.6

Confidence

High

EPSS

0.97

Percentile

99.8%

SSVC

Exploitation

active

Automatable

Yes

Technical Impact

total

JSON

Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an ‘@’ character followed by a file path in an argument with the file’s contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.

CNA Affected

[
  {
    "vendor": "Jenkins Project",
    "product": "Jenkins",
    "versions": [
      {
        "status": "unaffected",
        "version": "0",
        "lessThan": "1.606",
        "versionType": "maven"
      },
      {
        "status": "unaffected",
        "version": "2.442",
        "lessThan": "*",
        "versionType": "maven"
      },
      {
        "status": "unaffected",
        "version": "2.426.3",
        "lessThan": "2.426.*",
        "versionType": "maven"
      },
      {
        "status": "unaffected",
        "version": "2.440.1",
        "lessThan": "2.440.*",
        "versionType": "maven"
      }
    ],
    "defaultStatus": "affected"
  }
]

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*"
    ],
    "vendor": "jenkins",
    "product": "jenkins",
    "versions": [
      {
        "status": "unaffected",
        "version": "0",
        "lessThan": "1.606",
        "versionType": "maven"
      },
      {
        "status": "unaffected",
        "version": "2.442",
        "lessThan": "*",
        "versionType": "maven"
      },
      {
        "status": "unaffected",
        "version": "2.426.3",
        "lessThan": "2.427",
        "versionType": "maven"
      },
      {
        "status": "unaffected",
        "version": "2.440.1",
        "lessThan": "2.441",
        "versionType": "maven"
      }
    ],
    "defaultStatus": "affected"
  }
]