CVE-2024-23897 – This vulnerability in Jenkins allows unauthenti... (How to Fix)

Q: What is the severity of CVE-2024-23897?

CVE-2024-23897 has a CVSS score of 9.8 (CRITICAL). This vulnerability in Jenkins allows unauthenticated attackers to read arbitrary files on the Jenkins controller file system by exploiting a CLI command parser feature that replaces '@' characters followed by file paths with file contents. All Jenkins instances version 2.441 and earlier, and LTS 2.426.2 and earlier are affected. This can lead to sensitive information disclosure including credentials, configuration files, and source code.

📋 TL;DR

This vulnerability in Jenkins allows unauthenticated attackers to read arbitrary files on the Jenkins controller file system by exploiting a CLI command parser feature that replaces '@' characters followed by file paths with file contents. All Jenkins instances version 2.441 and earlier, and LTS 2.426.2 and earlier are affected. This can lead to sensitive information disclosure including credentials, configuration files, and source code.

💻 Affected Systems

Products:

Jenkins

Versions: Jenkins 2.441 and earlier, Jenkins LTS 2.426.2 and earlier

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations are vulnerable. No special configuration required for exploitation.

📦 What is this software?

Jenkins by Jenkins

View all CVEs affecting Jenkins →

Jenkins by Jenkins

View all CVEs affecting Jenkins →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain access to sensitive files like SSH keys, database credentials, configuration files, and source code, potentially leading to complete system compromise and lateral movement.

🟠

Likely Case

Unauthenticated attackers read arbitrary files from the Jenkins controller, exposing credentials, configuration data, and potentially enabling further attacks.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to file disclosure on the Jenkins controller only.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Multiple public exploit scripts and scanners are available. Exploitation requires network access to Jenkins CLI endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Jenkins 2.442, Jenkins LTS 2.426.3

Vendor Advisory: https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314

Restart Required: Yes

Instructions:

1. Backup your Jenkins instance. 2. Upgrade to Jenkins 2.442 or Jenkins LTS 2.426.3. 3. Restart Jenkins service. 4. Verify the upgrade completed successfully.

🔧 Temporary Workarounds

Disable CLI access

all

Block access to Jenkins CLI endpoints to prevent exploitation

Configure firewall rules to block access to Jenkins CLI port (default 33848/TCP)
Use network ACLs to restrict access to Jenkins controller

Network segmentation

all

Isolate Jenkins controller from untrusted networks

Place Jenkins behind reverse proxy with strict access controls
Implement network segmentation to limit Jenkins controller exposure

🧯 If You Can't Patch

Implement strict network access controls to limit Jenkins controller exposure
Monitor for suspicious file access patterns and CLI usage

🔍 How to Verify

Check if Vulnerable:

Check Jenkins version via web interface (Manage Jenkins -> About Jenkins) or via CLI command 'java -jar jenkins-cli.jar -s http://jenkins-url/ version'

Check Version:

java -jar jenkins-cli.jar -s http://jenkins-url/ version

Verify Fix Applied:

Verify Jenkins version is 2.442 or higher, or LTS 2.426.3 or higher. Test CLI '@' file expansion feature is disabled.

📡 Detection & Monitoring

Log Indicators:

Unusual CLI command patterns with '@' characters
Multiple failed authentication attempts followed by CLI access
File read operations from unexpected sources

Network Indicators:

Traffic to Jenkins CLI port (default 33848) from untrusted sources
Unusual patterns of CLI command execution

SIEM Query:

source="jenkins.log" AND ("@/" OR "@C:" OR "CLI command") AND NOT user="authenticated_user"

📊 Metadata

CVE ID: CVE-2024-23897

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

Published: January 24, 2024

Last Updated: October 24, 2025

🔗 References

http://packetstormsecurity.com/files/176839/Jenkins-2.441-LTS-2.426.3-CVE-2024-23897-Scanner.html Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/176840/Jenkins-2.441-LTS-2.426.3-Arbitrary-File-Read.html Exploit,Third Party Advisory,VDB Entry
http://www.openwall.com/lists/oss-security/2024/01/24/6 Mailing List
https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314 Vendor Advisory
https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/ Exploit,Press/Media Coverage
http://packetstormsecurity.com/files/176839/Jenkins-2.441-LTS-2.426.3-CVE-2024-23897-Scanner.html Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/176840/Jenkins-2.441-LTS-2.426.3-Arbitrary-File-Read.html Exploit,Third Party Advisory,VDB Entry
http://www.openwall.com/lists/oss-security/2024/01/24/6 Mailing List
https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314 Vendor Advisory
https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/ Exploit,Press/Media Coverage
https://www.vicarius.io/vsociety/posts/the-anatomy-of-a-jenkins-vulnerability-cve-2024-23897-revealed-1 Exploit,Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-23897 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-23897, you might also want to check these: