Security News > 2024 > January > Jenkins jitters as 45,000 servers still vulnerable to RCE attacks after patch released
The number of public-facing installs of Jenkins servers vulnerable to a recently disclosed critical vulnerability is in the tens of thousands.
Trailing them are India, Germany, Republic of Korea, France, and the UK. The revelation of the vast attack surface comes days after multiple exploits were made public on January 26 - themselves released just two days after the coordinated disclosure from Jenkins and Yaniv Nizry, the researcher at Sonar who first discovered the vulnerability.
CVE-2024-23897 is the critical vulnerability disclosed by Sonar and the main reason for Jenkins attracting so much attention from the infosec community of late, although a separate high-severity flaw was also disclosed.
"As of publication of this advisory, the Jenkins security team has found ways to read the first three lines of files in recent releases of Jenkins without having any plugins installed, and has not identified any plugins that would increase this line count," the advisory reads.
The Jenkins team went on to detail the various different types of feasible attacks that could play out if the vulnerability was exploited, each resulting in different types of sensitive data being exposed.
Jenkins commonly uses 32-byte random binary secrets meaning attackers would need to correctly guess 16 bytes, which the developers said is "Unfeasible."
News URL
https://go.theregister.com/feed/www.theregister.com/2024/01/30/jenkins_rce_flaw_patch/
Related news
- Veeam RCE bug lets domain users hack backup servers, patch now (source)
- MITRE Caldera RCE vulnerability with public PoC fixed, patch ASAP! (CVE-2025–27364) (source)
- Over 37,000 VMware ESXi servers vulnerable to ongoing attacks (source)
- PHP-CGI RCE Flaw Exploited in Attacks on Japan's Tech, Telecom, and E-Commerce Sectors (source)
- Critical PHP RCE vulnerability mass exploited in new attacks (source)
- Apple Releases Patch for WebKit Zero-Day Vulnerability Exploited in Targeted Attacks (source)
- Critical RCE flaw in Apache Tomcat actively exploited in attacks (source)
- Critical Veeam Backup & Replication RCE vulnerability fixed, patch ASAP! (CVE-2025-23120) (source)
- Zero-Day Alert: Google Releases Chrome Patch for Exploit Used in Russian Espionage Attacks (source)
- CISA Warns of CentreStack's Hard-Coded MachineKey Vulnerability Enabling RCE Attacks (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-01-24 | CVE-2024-23897 | Path Traversal vulnerability in Jenkins Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system. | 9.8 |