cbcvebase.
CVE-2024-23898
published 2024-01-24

CVE-2024-23898: Jenkins 2.217 through 2.441 (both inclusive), LTS 2.222.1 through 2.426.2 (both inclusive) does not perform origin validation of requests made through the CLI…

PriorityP266high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
66.92%
99.2th percentile
Jenkins 2.217 through 2.441 (both inclusive), LTS 2.222.1 through 2.426.2 (both inclusive) does not perform origin validation of requests made through the CLI WebSocket endpoint, resulting in a cross-site WebSocket hijacking (CSWSH) vulnerability, allowing attackers to execute CLI commands on the Jenkins controller.

Affected

12 ranges
VendorProductVersion rangeFixed in
jenkinsgit_server_plugin
jenkinsgitlab_branch_source_plugin
jenkinsjenkins2.217 – 2.441
jenkinsjenkins2.222.1 – 2.426.2
jenkinsjenkins_core
jenkinsjenkins_lts
jenkinsjenkins_uses_the_strict_crumb_issuer_plugin
jenkinsjenkins_weekly
jenkinslog_command_plugin
jenkinsmatrix_project_plugin
jenkinsqualys_policy_compliance_scanning_connector_plugin
jenkinsred_hat_dependency_analytics_plugin

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability targets the Jenkins CLI WebSocket endpoint — monitor for cross-origin WebSocket upgrade requests (HTTP 101) to the Jenkins CLI WebSocket path from unexpected or untrusted origins
  • Attackers exploit this by tricking authenticated users into clicking a malicious link — look for WebSocket connections to Jenkins CLI endpoint originating from external/third-party referrer domains
  • Active exploitation has been observed in the wild — prioritize detection on internet-exposed Jenkins instances running versions 2.217–2.441 or LTS 2.222.1–2.426.2
  • Multiple public PoC exploits are available on GitHub for the companion CVE-2024-23897 (arbitrary file read / RCE), which is frequently chained with CVE-2024-23898 — monitor for scanning activity and CLI command execution on Jenkins controllers
  • ·Affected versions are Jenkins core 2.217 through 2.441 (inclusive) and LTS 2.222.1 through 2.426.2 (inclusive); fixed in 2.442 and LTS 2.426.3
  • ·Red Hat OpenShift Container Platform 3.11 ships an affected Jenkins package and has marked it 'Will not fix' — deployments on this platform remain permanently vulnerable and require compensating controls
  • ·Browser-level SameSite cookie policies may partially mitigate the CSWSH attack, but enforcement is not universal across all browsers/configurations

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.