CVE-2024-23897

Name of the Vulnerable Software and Affected Versions: Jenkins versions 2.441 and earlier, LTS 2.426.2 and earlier.

Jenkins is vulnerable to an arbitrary file read vulnerability through its Command Line Interface (CLI). This flaw allows unauthenticated attackers to read arbitrary files on the Jenkins controller file system. The vulnerability stems from a failure to disable a feature in the CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents. This vulnerability has been actively exploited in the wild, with reports of ransomware attacks leveraging it. Proof-of-concept (PoC) exploits are publicly available. The vulnerability has a CVSS score of 9.8 and is considered critical. Several reports indicate that over 45,000 Jenkins instances are exposed and vulnerable. CISA has added this vulnerability to its Known Exploited Vulnerabilities catalog.

At the moment, there is no information about a newer version that contains a fix for this vulnerability.