CVE-2024-23897

Jenkins Command Line Interface (CLI) Path Traversal Vulnerability

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

Yes

*KEV

Decision

Act

*SSVC

Descriptions

Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.

Jenkins 2.441 y anteriores, LTS 2.426.2 y anteriores no desactivan una función de su analizador de comandos CLI que reemplaza un carácter '@' seguido de una ruta de archivo en un argumento con el contenido del archivo, lo que permite a atacantes no autenticados leer archivos arbitrarios en el sistema de archivos del controlador Jenkins.

A flaw was found in Jenkins, which uses the args4j library to parse command arguments and options on the Jenkins controller when processing CLI commands. This command parser has a feature that replaces the "@" character followed by a file path in an argument with the file’s contents (expandAtFiles). This feature is enabled by default; Jenkins 2.441 and earlier as well as LTS 2.426.2 and earlier do not disable it.

Jenkins version 2.441 suffers from a local file inclusion vulnerability.

Jenkins Command Line Interface (CLI) contains a path traversal vulnerability that allows attackers limited read access to certain files, which can lead to code execution.

*Credits: N/A

CVSS Scores

NISTv3.1 9.8

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Act

Exploitation

Active

Automatable

Yes

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-01-23 CVE Reserved
2024-01-24 CVE Published
2024-01-27 First Exploit
2024-08-19 CVE Updated
2024-08-19 Exploited in Wild
2024-09-09 KEV Due Date
2024-11-19 EPSS Updated

CWE

CWE-27: Path Traversal: 'dir/../../filename'
CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

CAPEC

References (42)

URL	Tag	Source
http://packetstormsecurity.com/files/176839/Jenkins-2.441-LTS-2.426.3-CVE-2024-23897-Scanner.html	Third Party Advisory
http://www.openwall.com/lists/oss-security/2024/01/24/6	Mailing List
https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins

URL	Date	SRC
https://github.com/yoryio/CVE-2024-23897	2024-03-13
https://www.exploit-db.com/exploits/51993	2024-04-15
https://github.com/Abo5/CVE-2024-23897	2024-02-26
https://github.com/Surko888/Surko-Exploit-Jenkins-CVE-2024-23897	2024-06-01
https://github.com/h4x0r-dz/CVE-2024-23897	2024-01-28
https://github.com/xaitax/CVE-2024-23897	2024-02-29
https://github.com/binganao/CVE-2024-23897	2024-02-01
https://github.com/wjlin0/CVE-2024-23897	2024-03-16
https://github.com/kaanatmacaa/CVE-2024-23897	2024-02-05
https://github.com/Vozec/CVE-2024-23897	2024-01-28
https://github.com/godylockz/CVE-2024-23897	2024-02-17
https://github.com/Maalfer/CVE-2024-23897	2024-05-17
https://github.com/3yujw7njai/CVE-2024-23897	2024-01-27
https://github.com/viszsec/CVE-2024-23897	2024-01-31
https://github.com/mil4ne/CVE-2024-23897-Jenkins-4.441	2024-05-08
https://github.com/B4CK4TT4CK/CVE-2024-23897	2024-02-13
https://github.com/NoSpaceAvailable/CVE-2024-23897	2024-08-06
https://github.com/Praison001/CVE-2024-23897-Jenkins-Arbitrary-Read-File-Vulnerability	2024-02-09
https://github.com/murataydemir/CVE-2024-23897	2024-05-07
https://github.com/jopraveen/CVE-2024-23897	2024-01-29
https://github.com/Athulya666/CVE-2024-23897	2024-05-03
https://github.com/Nebian/CVE-2024-23897	2024-02-21
https://github.com/ThatNotEasy/CVE-2024-23897	2024-03-02
https://github.com/raheel0x01/CVE-2024-23897	2024-01-28
https://github.com/AbraXa5/Jenkins-CVE-2024-23897	2024-02-04
https://github.com/brijne/CVE-2024-23897-RCE	2024-02-02
https://github.com/WLXQqwer/Jenkins-CVE-2024-23897-	2024-02-04
https://github.com/pulentoski/CVE-2024-23897-Arbitrary-file-read	2024-02-20
https://github.com/JAthulya/CVE-2024-23897	2024-05-03
https://github.com/fullaw4ke/CVE-2024-23897-Jenkins-4.441	2024-05-08
https://github.com/ifconfig-me/CVE-2024-23897	2024-02-17
https://github.com/r0xdeadbeef/CVE-2024-23897	2024-01-28
https://github.com/verylazytech/CVE-2024-23897	2024-09-30
https://github.com/cc3305/CVE-2024-23897	2024-10-28
https://github.com/zgimszhd61/CVE-2024-23897-poc	2024-11-01
http://packetstormsecurity.com/files/176840/Jenkins-2.441-LTS-2.426.3-Arbitrary-File-Read.html	2024-08-19

URL	Date	SRC

URL	Date	SRC
https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314	2024-05-14
https://access.redhat.com/security/cve/CVE-2024-23897	2024-02-12
https://bugzilla.redhat.com/show_bug.cgi?id=2260180	2024-02-12

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Jenkins Search vendor "Jenkins"		Jenkins Search vendor "Jenkins" for product "Jenkins"				< 2.426.3 Search vendor "Jenkins" for product "Jenkins" and version " < 2.426.3"		lts		Affected
Jenkins Search vendor "Jenkins"		Jenkins Search vendor "Jenkins" for product "Jenkins"				< 2.442 Search vendor "Jenkins" for product "Jenkins" and version " < 2.442"		-		Affected