Security News > 2024 > January > Critical Jenkins RCE flaw exploited in the wild. Patch now! (CVE-2024-23897)
Several proof-of-concept exploits for a recently patched critical vulnerability in Jenkins have been made public and there's evidence of exploitation in the wild.
Jenkins is a widely used Java-based open-source automation server that helps developers build, test and deploy applications, enabling continuous integration and continuous delivery.
CVE-2024-23897 is an arbitrary file read vulnerability in Jenkins' built-in command line interface that could allow an unauthenticated threat actor with Overall/Read permission to read arbitrary files on the Jenkins controller file system.
The vulnerability can also be exploited to read binary files containing cryptographic keys used for various Jenkins features, he says.
PoCs for CVE-2024-23897 have been made public and could be leveraged by attackers to compromise unpatched Jenkins servers.
Both vulnerabilities have been fixed in Jenkins 2.442 and LTS 2.426.3, so Jenkins users are urged to patch as soon as possible.
News URL
https://www.helpnetsecurity.com/2024/01/29/cve-2024-23897/
Related news
- SonicWall Urges Immediate Patch for Critical CVE-2025-23006 Flaw Amid Likely Exploitation (source)
- Zyxel CPE devices under attack via critical vulnerability without a patch (CVE-2024-40891) (source)
- Critical RCE Flaw in GFI KerioControl Allows Remote Code Execution via CRLF Injection (source)
- Hackers exploit critical Aviatrix Controller RCE flaw in attacks (source)
- Critical SimpleHelp Flaws Allow File Theft, Privilege Escalation, and RCE Attacks (source)
- Critical Flaws in WGS-804HPT Switches Enable RCE and Network Exploitation (source)
- Patch now: Cisco fixes critical 9.9-rated, make-me-admin bug in Meeting Management (source)
- Critical Cacti Security Flaw (CVE-2025-22604) Enables Remote Code Execution (source)
- Netgear warns users to patch critical WiFi router vulnerabilities (source)
- Critical RCE bug in Microsoft Outlook now exploited in attacks (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-01-24 | CVE-2024-23897 | Path Traversal vulnerability in Jenkins Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system. | 9.8 |