CVE-2024-23897 — Vulnetix

CVE-2024-23897 PUBLISHED KEV

Jenkins LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.

EPSS 94.47% · 100.0th percentile

Risk Scores

EPSS Score

94.47%

100.0th percentile

Affected Products

Vendor	Product	Versions
Bitnami	jenkins	0
Bitnami	jenkins	0

Timeline

Jan 20, 1970 Metasploit Module
Jan 20, 1970 VulnCheck XDB Entry
Jan 20, 1970 VulnCheck XDB Entry
Jan 20, 1970 VulnCheck XDB Entry
Jan 20, 1970 VulnCheck XDB Entry
Jan 20, 1970 VulnCheck XDB Entry
Jan 20, 1970 VulnCheck XDB Entry
Jan 20, 1970 Nuclei Template
Jan 20, 1970 Fix Commit
Jan 20, 1970 VulnCheck XDB Entry
Jan 20, 1970 VulnCheck XDB Entry
Jan 20, 1970 VulnCheck XDB Entry

References

http://packetstormsecurity.com/files/176839/Jenkins-2.441-LTS-2.426.3-CVE-2024-23897-Scanner.html url
http://packetstormsecurity.com/files/176840/Jenkins-2.441-LTS-2.426.3-Arbitrary-File-Read.html url
http://www.openwall.com/lists/oss-security/2024/01/24/6 url
https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314 url
https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/ url
https://www.vicarius.io/vsociety/posts/the-anatomy-of-a-jenkins-vulnerability-cve-2024-23897-revealed-1 url
https://nvd.nist.gov/vuln/detail/CVE-2024-23897 url
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-23897 url

Open in Interactive Console →