CVE-2024-23897

Name of the Vulnerable Software and Affected Versions Jenkins versions prior to 2.442 Jenkins LTS versions prior to 2.426.3

Description A critical vulnerability in Jenkins' built-in command line interface (CLI) allows unauthenticated attackers to read arbitrary files on the Jenkins controller file system. This vulnerability arises because Jenkins does not disable a feature in its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents. Attackers with Overall/Read permission can read entire files, while attackers without Overall/Read permission can read the first few lines of files. The number of lines that can be read depends on available CLI commands. Binary files containing cryptographic keys used for various Jenkins features can also be read, with some limitations. This vulnerability has been exploited in ransomware attacks and has a high CVSS score of 9.8.

Recommendations To resolve the issue, update Jenkins to version 2.442 or later, or update Jenkins LTS to version 2.426.3 or later. If updating is not possible, consider disabling access to the CLI to prevent exploitation. Additionally, restrict access to the vulnerable module

args4j

to minimize the risk of exploitation. Avoid using the

@

character followed by a file path in CLI commands until the issue is resolved.