CVE-2024-43044
published 2024-08-07CVE-2024-43044: Jenkins 2.470 and earlier, LTS 2.452.3 and earlier allows agent processes to read arbitrary files from the Jenkins controller file system by using the…
PriorityP267high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
28.78%
97.9th percentile
Jenkins 2.470 and earlier, LTS 2.452.3 and earlier allows agent processes to read arbitrary files from the Jenkins controller file system by using the `ClassLoaderProxy#fetchJar` method in the Remoting library.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | jenkins | < 2.452.4 | 2.452.4 |
| jenkins | jenkins | < 2.471 | 2.471 |
| jenkins | jenkins_core | — | — |
| jenkins | jenkins_lts | — | — |
| jenkins | jenkins_weekly | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for agent processes invoking ClassLoaderProxy#fetchJar with paths outside of core/plugin classloader scope, which indicates exploitation of arbitrary file read on the Jenkins controller. ↗
- →Alert on Agent/Connect permission holders initiating unusual file retrieval requests via the Remoting channel, as this permission is sufficient to exploit the vulnerability. ↗
- →Flag any Jenkins controller running Remoting 3256.v88a_f6e922152 and earlier (excluding backport versions 3206.3208.v409508a_675ff and 3248.3250.v3277a_8e88c9b_) as vulnerable to this arbitrary file read via ClassLoaderProxy#fetchJar. ↗
- →Treat exploitation of this vulnerability as a potential RCE precursor; correlate arbitrary file reads (e.g., credentials, secrets) from the Jenkins controller with subsequent privilege escalation activity. ↗
- →Detect if the Java system property hudson.remoting.Channel.DISABLE_JAR_URL_VALIDATOR is set to true on the controller, which disables the CVE-2024-43044 path validation fix and re-exposes the vulnerability. ↗
- ·The fix (path restriction in ClassLoaderProxy#fetchJar) only needs to be present on the controller; agents running older Remoting versions remain safe once the controller is patched. ↗
- ·Setting hudson.remoting.Channel.DISABLE_JAR_URL_VALIDATOR=true on the controller re-enables the vulnerable code path and should only be used if agent code is as trusted as Jenkins administrators. ↗
- ·Setting jenkins.security.s2m.JarURLValidatorImpl.REJECT_ALL=true fully blocks ClassLoaderProxy#fetchJar but may break plugin functionality (bouncycastle API, Groovy, Ivy, TeamConcert) on agents running older Remoting versions. ↗
- ·The binary-data encoding limitation that partially mitigated SECURITY-3314 does NOT apply here; all file content is fully readable via this attack path. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vendor_oracle8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Oracle
Oracle Oracle Communications Risk Matrix: Configuration Management Platform (Jenkins) — CVE-2024-43044
vendor_oracle·2025-04-15·CVSS 8.8
CVE-2024-43044 [HIGH] Oracle Oracle Communications Risk Matrix: Configuration Management Platform (Jenkins) — CVE-2024-43044
Oracle Oracle Communications Risk Matrix: Configuration Management Platform (Jenkins) vulnerability
CVE: CVE-2024-43044
CVSS: 8.8
Protocol: HTTP
Remote exploit: No
Affected versions: Network
Advisory: cpuapr2025 (APR 2025)
Oracle
Oracle Oracle Communications Risk Matrix: ATS Framework (Jenkins) — CVE-2024-43044
vendor_oracle·2024-10-15·CVSS 8.8
CVE-2024-43044 [HIGH] Oracle Oracle Communications Risk Matrix: ATS Framework (Jenkins) — CVE-2024-43044
Oracle Oracle Communications Risk Matrix: ATS Framework (Jenkins) vulnerability
CVE: CVE-2024-43044
CVSS: 8.8
Protocol: HTTP
Remote exploit: No
Affected versions: Network
Advisory: cpuoct2024 (OCT 2024)
Jenkins
Jenkins Security Advisory 2024-08-07
vendor_jenkins·2024-08-07·CVSS 8.8
CVE-2024-43044 [HIGH] Jenkins Security Advisory 2024-08-07
Title: Jenkins Security Advisory 2024-08-07
Jenkins Security Advisory 2024-08-07
Jenkins Security Home
For Administrators
Overview
Terminology
Vulnerabilities and Scoring
Security Advisories
Security Issues
Advisory Schedule
Vulnerabilities in Plugins
How We Fix Security Issues
For Reporters
Reporting Vulnerabilities
Jenkins CNA
For Maintainers
Overview
Vulnerabilities in Plugins
Jenkins Security Team
About
Contributions
This advisory announces vulnerabilities in the following Jenkins deliverables:
Jenkins (core)
Descriptions
Arbitrary file read vulnerability through agent connections can lead to RCE
SECURITY-3430
/
CVE-2024-43044
Severity (CVSS):
Critical
Description:
Red Hat
jenkins: Arbitrary file read vulnerability through agent connections can lead to RCE
vendor_redhat·2024-08-07·CVSS 8.8
CVE-2024-43044 [HIGH] CWE-22 jenkins: Arbitrary file read vulnerability through agent connections can lead to RCE
jenkins: Arbitrary file read vulnerability through agent connections can lead to RCE
Jenkins 2.470 and earlier, LTS 2.452.3 and earlier allows agent processes to read arbitrary files from the Jenkins controller file system by using the `ClassLoaderProxy#fetchJar` method in the Remoting library.
A vulnerability was found in the Remoting library in Jenkins core, which handles communication between the Jenkins controller and agents. The ClassLoaderProxy#fetchJar function may allow malicious agents or attackers with Agent/Connect permission to read arbitrary files from the Jenkins controller's file system due to insufficient path restrictions permissions, which could lead to Privilege Escalation and Remote Code Execution (RCE)
Statement: This vulnerability is classified as critical because
GHSA
Jenkins Remoting library arbitrary file read vulnerability
ghsa·2024-08-07
CVE-2024-43044 [HIGH] CWE-22 Jenkins Remoting library arbitrary file read vulnerability
Jenkins Remoting library arbitrary file read vulnerability
Jenkins uses the Remoting library (typically `agent.jar` or `remoting.jar`) for the communication between controller and agents. This library allows agents to load classes and classloader resources from the controller, so that Java objects sent from the controller (build steps, etc.) can be executed on agents.
In addition to individual class and resource files, Remoting also allows Jenkins plugins to transmit entire jar files to agents using the `Channel#preloadJar` API. As of publication of this advisory, this feature is used by the following plugins distributed by the Jenkins project: bouncycastle API, Groovy, Ivy, TeamConcert
In Remoting 3256.v88a_f6e922152 and earlier, except 3206.3208.v409508a_675ff and 3248.3250.v3277a_8e8
OSV
Jenkins Remoting library arbitrary file read vulnerability
osv·2024-08-07
CVE-2024-43044 [HIGH] Jenkins Remoting library arbitrary file read vulnerability
Jenkins Remoting library arbitrary file read vulnerability
Jenkins uses the Remoting library (typically `agent.jar` or `remoting.jar`) for the communication between controller and agents. This library allows agents to load classes and classloader resources from the controller, so that Java objects sent from the controller (build steps, etc.) can be executed on agents.
In addition to individual class and resource files, Remoting also allows Jenkins plugins to transmit entire jar files to agents using the `Channel#preloadJar` API. As of publication of this advisory, this feature is used by the following plugins distributed by the Jenkins project: bouncycastle API, Groovy, Ivy, TeamConcert
In Remoting 3256.v88a_f6e922152 and earlier, except 3206.3208.v409508a_675ff and 3248.3250.v3277a_8e8
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-08-07
Published