Security News > 2024 > January > Exploits released for critical Jenkins RCE flaw, patch now

Multiple proof-of-concept exploits for a critical Jenkins vulnerability allowing unauthenticated attackers to read arbitrary files have been made publicly available, with some researchers reporting attackers actively exploiting the flaws in attacks.
SonarSource researchers discovered two flaws in Jenkins that could enable attacks to access data in vulnerable servers and execute arbitrary CLI commands under certain conditions.
The first flaw, rated critical, is CVE-2024-23897, allowing unauthenticated attackers with 'overall/read' permission to read data from arbitrary files on the Jenkins server.
On January 24, 2024, Jenkins released fixes for the two flaws with versions 2.442 and LTS 2.426.3, and published an advisory that shares various attack scenarios and exploitation pathways, as well as fix descriptions and possible workarounds for those unable to apply the security updates.
With abundant information about the Jenkins flaws now available, many researchers reproduced some of the attack scenarios and created working PoC exploits published on GitHub.
VMware confirms critical vCenter flaw now exploited in attacks.
News URL
Related news
- Critical Erlang/OTP SSH pre-auth RCE is 'Surprisingly Easy' to exploit, patch now (source)
- Critical Erlang/OTP SSH RCE bug now has public exploits, patch now (source)
- Critical Veeam Backup & Replication RCE vulnerability fixed, patch ASAP! (CVE-2025-23120) (source)
- Critical RCE flaw in Apache Tomcat actively exploited in attacks (source)
- Stealthy Apache Tomcat Critical Exploit Bypasses Security Filters: Are You at Risk? (source)
- Infoseccers criticize Veeam over critical RCE vulnerability and a failing blacklist (source)
- Veeam RCE bug lets domain users hack backup servers, patch now (source)
- Ongoing Cyber Attacks Exploit Critical Vulnerabilities in Cisco Smart Licensing Utility (source)
- Critical Ingress NGINX Controller Vulnerability Allows RCE Without Authentication (source)
- Zero-Day Alert: Google Releases Chrome Patch for Exploit Used in Russian Espionage Attacks (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2024-01-24 | CVE-2024-23897 | Path Traversal vulnerability in Jenkins Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system. | 9.8 |