cbcvebase.
CVE-2024-23897
published 2024-01-24

CVE-2024-23897: Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path…

PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2024-09-09
Exploited in the wild
EPSS
100.00%
100.0th percentile
Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.

Affected

12 ranges
VendorProductVersion rangeFixed in
jenkinsgit_server_plugin
jenkinsgitlab_branch_source_plugin
jenkinsjenkins< 2.426.32.426.3
jenkinsjenkins< 2.4422.442
jenkinsjenkins_core
jenkinsjenkins_lts
jenkinsjenkins_uses_the_strict_crumb_issuer_plugin
jenkinsjenkins_weekly
jenkinslog_command_plugin
jenkinsmatrix_project_plugin
jenkinsqualys_policy_compliance_scanning_connector_plugin
jenkinsred_hat_dependency_analytics_plugin

Detection & IOCsextracted from sources · hover to see the quote

url/cli
commandjava -jar jenkins-cli.jar -s http://172.17.0[.]1:8080/ -auth admin:pass reload-job @/etc/passwd
  • Monitor Jenkins access logs and web server logs for POST requests to the /cli endpoint containing the '@' character followed by a file path in the arguments — this is the core exploit pattern for CVE-2024-23897.
  • A SIEM rule should flag any Jenkins CLI command containing the '@' character in its arguments, as this is the core of the exploit.
  • The exploit uses the Jenkins PlainCLIProtocol binary format: each message is framed with a 4-byte big-endian int length, followed by a 1-byte opcode, then data. Signature-based detection should look for this binary framing in POST bodies to /cli.
  • Attack requests from Windows machines to Jenkins use windows-1252 encoding; requests from Linux machines use UTF-8. Encoding in the CLI POST body can help distinguish attacker platform.
  • WebSocket-based exploit requests will have masking applied to the data, making user input invisible in captures. Inspect masked WebSocket frames to the Jenkins CLI endpoint as a potential attack vector.
  • Unauthenticated attackers can exploit CLI commands including 'help', 'who-am-i', 'restart', 'shutdown', and 'enable-job' with the '@' file-read technique. Monitor for these commands with '@' arguments in Jenkins logs.
  • Authenticated attackers can use CLI commands such as 'connect-node', 'reload-job', 'delete-job', 'delete-node', 'disconnect-node', 'offline-node', and 'online-node' with '@/path/to/file' to read entire files. Alert on these commands with '@' prefixed arguments.
  • Check Point IPS blade signature 'Jenkins Information Disclosure (CVE-2024-23897)' provides detection coverage for this vulnerability.
  • ·Unauthenticated attackers are limited to reading the first few lines of files; the exact number of lines depends on the CLI command used. Authenticated users with Overall/Read permission can read entire files.
  • ·CVE-2024-23897 is exploitable via HTTP, WebSocket, and SSH, with HTTP and WebSocket having the highest chance of exploitation.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_oracle9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.