Vulnerabilities > CVE-2024-23897 - Unspecified vulnerability in Jenkins
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.
Vulnerable Configurations
Related news
- Critical Jenkins Vulnerability Exposes Servers to RCE Attacks - Patch ASAP! (source)
- Exploits released for critical Jenkins RCE flaw, patch now (source)
- Critical Jenkins RCE flaw exploited in the wild. Patch now! (CVE-2024-23897) (source)
- Jenkins jitters as 45,000 servers still vulnerable to RCE attacks after patch released (source)
References
- https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314
- http://packetstormsecurity.com/files/176839/Jenkins-2.441-LTS-2.426.3-CVE-2024-23897-Scanner.html
- http://packetstormsecurity.com/files/176840/Jenkins-2.441-LTS-2.426.3-Arbitrary-File-Read.html
- http://www.openwall.com/lists/oss-security/2024/01/24/6