Security Advisory Pulse/CVE-2024-23897
CVE-2024-23897Exploit Available

Jenkins Arbitrary File Read via CLI Parser

🏭 JenkinsCWE-88#File Read#CI/CD#Unauthenticated#Secrets Exposure
7.5High
010.0

Vulnerability Description

An unauthenticated attacker can read arbitrary files from the Jenkins controller file system, including secrets, credentials, and SSH keys, due to a vulnerability in the CLI command parser that incorrectly expands file paths.

Recommended Mitigation

Update Jenkins to 2.442 or LTS 2.426.3. As a workaround, disable the Jenkins CLI or set -Dorg.kohsuke.args4j.noOptionAsFileNameIfOptionDefinitionStartsWith=@ system property.

Affected Products

Jenkins LTS
Jenkins Weekly

Version constraint: Jenkins weekly < 2.442, LTS < 2.426.3

Official References

https://www.jenkins.io/security/advisory/2024-01-24/https://nvd.nist.gov/vuln/detail/CVE-2024-23897

Quick Facts

Published
2024-01-24
Last Modified
2024-01-30
Vendor
Jenkins
CWE
CWE-88
Exploit
⚠️ Public Exploit Exists

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

View on NVD← Back to Advisory Feed