Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.
CVE-2024-23897
Score elevated to 9.8 because this CVE is listed on the CISA Known Exploited Vulnerabilities catalog (added 2024-08-19), indicating real-world exploitation has been confirmed by US federal agencies. NVD baseline CVSS 9.8 retained for reference. Confidence: HIGH.
- 320 internet-exposed hosts are running an affected version right now
- Actively exploited in the wild (CISA-KEV)
- Linked to ransomware campaigns
A fix is available — apply it.
320 internet-exposed hosts are running an affected version of CVE-2024-23897 right now.
EchelonGraph is the only CVE feed that fuses live vulnerability intelligence with its own live internet-exposure radar — so you see not just that a CVE is exploited, but how much of the internet is exposed to it right now.
- CVSS v3
- 9.8
- EG Score
- 9.8(medium)
- EPSS
- 100.0%
- KEV
- ⚠ Exploited
Published
January 24, 2024
Last Modified
October 24, 2025
Advisory Details (3)
Auto-updated Jun 1, 2026Excessive Expansion: Uncovering Critical Security Vulnerabilities in Jenkins | Sonar
https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/Jenkins Security Advisory 2024-01-24
https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314oss-security - Multiple vulnerabilities in Jenkins and Jenkins plugins
http://www.openwall.com/lists/oss-security/2024/01/24/6Vendor Advisories for CVE-2024-23897(3)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
- RHSA-2024:0775Red Hat Product SecurityHigh
Red Hat Security Advisory: jenkins and jenkins-2-plugins security update
- RHSA-2024:0778Red Hat Product SecurityHigh
Red Hat Security Advisory: Jenkins and Jenkins-2-plugins security update
- RHSA-2024:0776Red Hat Product SecurityHigh
Red Hat Security Advisory: jenkins and jenkins-2-plugins security update
Patch Availability(3)
| Vendor / Ecosystem | Fixed in / Patch | Released | Source |
|---|---|---|---|
| redhat | jenkins-0:2.426.3.1706516254-3.el8 | 2024-02-12 | redhat |
| redhat | jenkins-0:2.426.3.1706516929-3.el8 | 2024-02-12 | redhat |
| redhat | jenkins-0:2.426.3.1706515686-3.el8 | 2024-02-12 | redhat |
Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.
Affected Packages
(1 across 1 ecosystem)
Maven(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| org.jenkins-ci.main:jenkins-core | 2.441 | 2.442 | — |
Weakness Classification(2)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Data Freshness Timeline
(refreshed 85× in last 7d / 360× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
Showing the most recent 100 of 506 total refreshes for this CVE.
- 2026-07-12 02:39 UTCEG score recompute
- 2026-07-12 02:39 UTCVendor advisory
- 2026-07-11 22:31 UTCEG score recompute
- 2026-07-11 22:31 UTCVendor advisory
- 2026-07-11 18:23 UTCEG score recompute
- 2026-07-11 18:23 UTCVendor advisory
- 2026-07-11 14:14 UTCEG score recompute
- 2026-07-11 14:14 UTCVendor advisory
- 2026-07-11 10:04 UTCEG score recompute
- 2026-07-11 10:04 UTCVendor advisory
- 2026-07-11 05:55 UTCEG score recompute
- 2026-07-11 05:55 UTCVendor advisory
- 2026-07-11 01:47 UTCEG score recompute
- 2026-07-11 01:47 UTCVendor advisory
- 2026-07-10 21:38 UTCEG score recompute
- 2026-07-10 21:38 UTCVendor advisory
- 2026-07-10 17:52 UTCCISA KEV update
- 2026-07-10 17:30 UTCEG score recompute
- 2026-07-10 17:30 UTCVendor advisory
- 2026-07-10 13:22 UTCEG score recompute
- 2026-07-10 13:22 UTCVendor advisory
- 2026-07-10 09:13 UTCEG score recompute
- 2026-07-10 09:13 UTCVendor advisory
- 2026-07-10 05:05 UTCEG score recompute
- 2026-07-10 05:05 UTCVendor advisory
Show 75 moreShow fewer
- 2026-07-10 00:57 UTCEG score recompute
- 2026-07-10 00:57 UTCVendor advisory
- 2026-07-09 20:48 UTCEG score recompute
- 2026-07-09 20:48 UTCVendor advisory
- 2026-07-09 16:40 UTCEG score recompute
- 2026-07-09 16:40 UTCVendor advisory
- 2026-07-09 12:32 UTCEG score recompute
- 2026-07-09 12:32 UTCVendor advisory
- 2026-07-09 08:24 UTCEG score recompute
- 2026-07-09 08:24 UTCVendor advisory
- 2026-07-09 04:16 UTCEG score recompute
- 2026-07-09 04:16 UTCVendor advisory
- 2026-07-09 00:08 UTCEG score recompute
- 2026-07-09 00:08 UTCVendor advisory
- 2026-07-08 20:00 UTCEG score recompute
- 2026-07-08 20:00 UTCVendor advisory
- 2026-07-08 15:50 UTCEG score recompute
- 2026-07-08 15:50 UTCVendor advisory
- 2026-07-08 11:42 UTCEG score recompute
- 2026-07-08 11:42 UTCVendor advisory
- 2026-07-08 07:33 UTCEG score recompute
- 2026-07-08 07:33 UTCVendor advisory
- 2026-07-08 03:25 UTCEG score recompute
- 2026-07-08 03:25 UTCVendor advisory
- 2026-07-07 23:17 UTCEG score recompute
- 2026-07-07 23:17 UTCVendor advisory
- 2026-07-07 19:09 UTCEG score recompute
- 2026-07-07 19:09 UTCVendor advisory
- 2026-07-07 19:01 UTCCISA KEV update
- 2026-07-07 17:16 UTCCISA KEV update
- 2026-07-07 14:59 UTCEG score recompute
- 2026-07-07 14:59 UTCVendor advisory
- 2026-07-07 10:49 UTCEG score recompute
- 2026-07-07 10:49 UTCVendor advisory
- 2026-07-07 06:40 UTCEG score recompute
- 2026-07-07 06:40 UTCVendor advisory
- 2026-07-07 02:31 UTCEG score recompute
- 2026-07-07 02:31 UTCVendor advisory
- 2026-07-06 22:23 UTCEG score recompute
- 2026-07-06 22:23 UTCVendor advisory
- 2026-07-06 18:14 UTCEG score recompute
- 2026-07-06 18:14 UTCVendor advisory
- 2026-07-06 14:04 UTCEG score recompute
- 2026-07-06 14:04 UTCVendor advisory
- 2026-07-06 09:57 UTCEG score recompute
- 2026-07-06 09:57 UTCVendor advisory
- 2026-07-06 05:48 UTCEG score recompute
- 2026-07-06 05:48 UTCVendor advisory
- 2026-07-06 01:38 UTCEG score recompute
- 2026-07-06 01:38 UTCVendor advisory
- 2026-07-05 21:30 UTCEG score recompute
- 2026-07-05 21:30 UTCVendor advisory
- 2026-07-05 17:22 UTCEG score recompute
- 2026-07-05 17:22 UTCVendor advisory
- 2026-07-05 13:14 UTCEG score recompute
- 2026-07-05 13:14 UTCVendor advisory
- 2026-07-05 09:06 UTCEG score recompute
- 2026-07-05 09:06 UTCVendor advisory
- 2026-07-05 04:57 UTCEG score recompute
- 2026-07-05 04:57 UTCVendor advisory
- 2026-07-05 00:48 UTCEG score recompute
- 2026-07-05 00:48 UTCVendor advisory
- 2026-07-04 20:41 UTCEG score recompute
- 2026-07-04 20:41 UTCVendor advisory
- 2026-07-04 16:32 UTCEG score recompute
- 2026-07-04 16:32 UTCVendor advisory
- 2026-07-04 12:24 UTCEG score recompute
- 2026-07-04 12:24 UTCVendor advisory
- 2026-07-04 08:16 UTCEG score recompute
- 2026-07-04 08:16 UTCVendor advisory
- 2026-07-04 04:08 UTCEG score recompute
- 2026-07-04 04:08 UTCVendor advisory
- 2026-07-03 23:59 UTCEG score recompute
- 2026-07-03 23:59 UTCVendor advisory
- 2026-07-03 19:52 UTCEG score recompute
Publicly available exploits
(10 references)Working exploit code is in the public domain (9 GitHub PoCs) (1 Exploit-DB entry). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.
- GitHub PoCverylazytech/CVE-2024-23897First seen Sep 30, 2024
POC - Jenkins File Read Vulnerability - CVE-2024-23897
Open source ↗ - GitHub PoCMaalfer/CVE-2024-23897First seen May 16, 2024
Poc para explotar la vulnerabilidad CVE-2024-23897 en versiones 2.441 y anteriores de Jenkins, mediante la cual podremos leer archivos internos del sistema sin estar autenticados
Open source ↗ - Exploit-DBEDB-51993First seen Apr 15, 2024
Jenkins 2.441 - Local File Inclusion
Open source ↗ - GitHub PoCgodylockz/CVE-2024-23897First seen Feb 16, 2024
POC for CVE-2024-23897 Jenkins File-Read
Open source ↗ - GitHub PoCkaanatmacaa/CVE-2024-23897First seen Feb 4, 2024
Nuclei template for CVE-2024-23897 (Jenkins LFI Vulnerability)
Open source ↗ - GitHub PoCVozec/CVE-2024-23897First seen Jan 28, 2024
This repository presents a proof-of-concept of CVE-2024-23897
Open source ↗ - GitHub PoCP4x1s/CVE-2024-23897First seen Jan 27, 2024
CVE-2024-23897 jenkins-cli
Open source ↗ - GitHub PoCwjlin0/CVE-2024-23897First seen Jan 27, 2024
CVE-2024-23897 - Jenkins 任意文件读取 利用工具
Open source ↗ - GitHub PoCxaitax/CVE-2024-23897First seen Jan 26, 2024
CVE-2024-23897 | Jenkins <= 2.441 & <= LTS 2.426.2 PoC and scanner.
Open source ↗ - GitHub PoCh4x0r-dz/CVE-2024-23897First seen Jan 26, 2024
CVE-2024-23897
Open source ↗
Frequently asked(6)
What is CVE-2024-23897?
When was CVE-2024-23897 disclosed?
Is CVE-2024-23897 actively exploited?
What is the CVSS score of CVE-2024-23897?
Which products are affected by CVE-2024-23897?
How do I remediate CVE-2024-23897?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2024-23897
Is Your Infrastructure Affected by CVE-2024-23897?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.