VDB
BIT-JENKINS-2024-23898
BIT-JENKINS-2024-23898
PUBLISHED
CVSS 8.800000190734863 HIGH
Jenkins 2.217 through 2.441 (both inclusive), LTS 2.222.1 through 2.426.2 (both inclusive) does not perform origin validation of requests made through the CLI WebSocket endpoint, resulting in a cross-site WebSocket hijacking (CSWSH) vulnerability, allowing attackers to execute CLI commands on the Jenkins controller.
Risk Scores
CVSS 3.1
8.800000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Jenkins Project | Jenkins | 0, 2.442, 2.426.3 |
Exploit Intelligence
- Jenkins Security Advisory 2024-01-24 (circl)
- https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/ (circl)
- http://www.openwall.com/lists/oss-security/2024/01/24/6 (circl)
- CIRCL seen: CVE-2024-23898 (circl-sighting)
- CIRCL seen: CVE-2024-23898 (circl-sighting)
- CIRCL published-proof-of-concept: CVE-2024-23898 (circl-sighting)
- CIRCL seen: CVE-2024-23898 (circl-sighting)
- CIRCL seen: CVE-2024-23898 (circl-sighting)
- CIRCL published-proof-of-concept: CVE-2024-23898 (circl-sighting)
- CIRCL seen: CVE-2024-23898 (circl-sighting)
…and 2 more exploits
Timeline
- Jan 24, 2024 CVE Published
- Jan 24, 2024 PoC Published
- Jan 26, 2024 PoC Published
- Jan 28, 2024 PoC Published
- Jan 29, 2024 PoC Published
- Feb 18, 2024 PoC Published
- Feb 20, 2024 PoC Published
- Jun 20, 2025 PoC Published