CRITICAL🚩 CISA KEV⚡ EXPLOIT✓ PATCH🇵🇱 Wersja polska

CVE-2024-23897

CVSS 9.8v3.1pub. 2024-01-24upd. 2025-10-24

Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.

🤖 AI Analysis
How it works

The Jenkins CLI command parser contains a function that automatically replaces the '@' character preceding a file path with the contents of that file. This mechanism is not disabled for unauthenticated users, allowing an attacker to craft a CLI request containing an argument in the form '@/path/to/file'. In response, the server returns the contents of the specified file from the Jenkins controller file system, without requiring any permissions.

Impact

An attacker can read any files accessible to the Jenkins process, including configuration files, SSH keys, secrets, API tokens and credentials, which can ultimately lead to complete takeover of the CI/CD environment.

Mitigation & patch

Jenkins must be updated to version 2.442 or newer (weekly) or to LTS version 2.426.3 or newer. Patch details are available in the official Jenkins security advisory: https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314

Who is affected

Jenkins in version 2.441 and earlier; Jenkins LTS in version 2.426.2 and earlier

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Jenkins

    APP
    Jenkins
    < 2.426.3< 2.442

CISA KEV — detailsi

Vendori
Jenkins
Producti
Jenkins Command Line Interface (CLI)
Added to KEVi
August 19, 2024
Remediation deadline (US Federal)i
September 9, 2024(overdue)
Ransomwarei
Active ransomware campaigns exploit this vulnerability
Required action (CISA)i

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CISA descriptioni

Jenkins Command Line Interface (CLI) contains a path traversal vulnerability that allows attackers limited read access to certain files, which can lead to code execution.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
☠️WYKORZYSTYWANE W RANSOMWARECISA DEADLINE: 9 września 2024
Tags
Auth BypassCI/CDPath Traversal
CWE
References

Related vulnerabilities

CVE-2018-1000861CRITICAL9.8⚠ KEVten sam produkt

A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.13...

CVE-2017-1000353CRITICAL9.8⚠ KEVten sam produkt

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remot...

CVE-2023-27898CRITICAL9.6ten sam produkt

Jenkins 2.270 through 2.393 (both inclusive), LTS 2.277.1 through 2.375.3 (both inclusive) does not escape the...

CVE-2021-21685CRITICAL9.1ten sam produkt

Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not check agent-to-controller access to create parent ...

CVE-2021-21687CRITICAL9.1ten sam produkt

Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not check agent-to-controller access to create symboli...