CVE-2024-23897
CVE-2024-23897 is a critical-severity vulnerability in Jenkins with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2024-08-19). The underlying weakness is classified as CWE-22.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2024-08-19)
- EU (EUVD) id: EUVD-2024-0270
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2024-08-19)
- Weakness: CWE-22
- Affected product: Jenkins
- Published:
- Last modified:
Description
Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.
CVE-2024-23897: Jenkins CLI Arbitrary File Read via Argument Expansion
AI-generated analysis based on the vulnerability data on this page.
| Field | Value |
|---|---|
| CVE | CVE-2024-23897 |
| CVSS 3.1 | 9.8 (Critical) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CWE | CWE-22: Improper Limitation of a Pathname to a Restricted Directory |
| EPSS | 0.99999 (percentile 0.99995) |
| KEV | Yes — added 2024-08-19; EU exploited since 2024-08-19 |
| Affected | Jenkins ≤ 2.441 (weekly), Jenkins LTS ≤ 2.426.2 |
| Patched | Jenkins 2.442 (weekly), Jenkins LTS 2.426.3 |
Summary
Jenkins 2.441 and earlier, and LTS 2.426.2 and earlier, does not disable a feature of its CLI command parser that replaces an @ character followed by a file path in an argument with the file's contents. This allows unauthenticated remote attackers to read arbitrary files on the Jenkins controller file system, including sensitive credentials and configuration files.
Background
Jenkins provides a command-line interface (CLI) for administrative and operational tasks. The CLI parser supports argument expansion: when an argument starts with @, the parser treats the remainder as a file path and substitutes the file's contents into the argument list. This feature is intended for local scripting convenience but is exposed to remote, unauthenticated users when the CLI is enabled over remoting or HTTP. Because Jenkins does not restrict this expansion to authenticated sessions or disable it by default, it becomes a vehicle for unauthenticated path traversal.
Root Cause
CWE-22: Improper Limitation of a Pathname to a Restricted Directory.
The Jenkins CLI argument parser performs file-content expansion without validating the caller's authorization to read the requested path. The expansion occurs before access-control checks that would otherwise gate CLI command execution, and the parser accepts absolute paths and directory traversal sequences (e.g., ../../../etc/passwd). Because the parser runs on the Jenkins controller with the controller's file-system privileges, an attacker can read any file the controller process can access.
Impact
The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H maps to a Critical score of 9.8.
- Confidentiality: HIGH — Arbitrary file read exposes
credentials.xml,config.xml, secret keys, and build logs. - Integrity: HIGH — File contents can include secrets that enable further compromise (e.g., SSH keys, API tokens).
- Availability: HIGH — While direct disruption is not the primary mechanism, stolen credentials can be leveraged for destructive follow-on actions.
This vulnerability is actively exploited in the wild: CISA added it to the Known Exploited Vulnerabilities (KEV) catalog on 2024-08-19, and the EU vulnerability database (EUVD-2024-0270) also lists it as exploited. The EPSS score of 0.99999 indicates near-universal probability of exploitation within 30 days.
Exploitation Walkthrough
Ethics caveat: This description is provided for defensive awareness only. Do not test against systems you do not own or have explicit permission to assess.
- An attacker sends a Jenkins CLI command over the remoting channel or HTTP endpoint.
- In place of a normal string argument, the attacker supplies
@/etc/passwdor@../../secrets/master.key. - The CLI parser reads the referenced file from the controller's local file system and substitutes its contents into the argument.
- The command's output or error message leaks the file contents back to the attacker.
Because the attack is unauthenticated and network-reachable, it can be automated at scale.
Affected and Patched Versions
| Track | Affected | Patched |
|---|---|---|
| Weekly | ≤ 2.441 | 2.442 |
| LTS | ≤ 2.426.2 | 2.426.3 |
Maven package org.jenkins-ci.main:jenkins-core versions ≥ 1.606 and < 2.426.3 are also affected.
Remediation
- Upgrade immediately to Jenkins 2.442 (weekly) or Jenkins LTS 2.426.3 or later. These releases disable the dangerous argument expansion by default.
- Disable CLI remoting if not required, or restrict CLI access to trusted administrative hosts via network segmentation.
- Rotate secrets — if you ran an affected version, assume
credentials.xml,secrets/master.key, and other sensitive files were exposed. Rotate all Jenkins-stored credentials and review access logs for anomalous CLI activity. - Compensating controls until patched: place Jenkins behind a reverse proxy or VPN that blocks unauthenticated CLI access, and enforce IP allowlisting for administrative endpoints.
Detection
- Monitor Jenkins access logs for CLI requests containing arguments that start with
@followed by path-like strings. - Review controller file-system audit logs for unexpected file reads by the Jenkins process.
- Correlate Jenkins CLI endpoint access with your SIEM; look for repeated, anomalous CLI connections from new or external source IPs.
- Check for unauthorized downloads of
credentials.xml,config.xml, or files under$JENKINS_HOME/secrets.
Assessment
CVE-2024-23897 is a textbook example of a convenience feature (argument expansion) becoming a critical attack surface. With a CVSS 9.8, EPSS 0.99999, and confirmed in-the-wild exploitation, this should be treated as an emergency patch for any internet-facing Jenkins instance.
Key lessons:
- Disable by default, enable explicitly. Features that interact with the local file system should require explicit opt-in, especially on remote interfaces.
- Input validation before expansion. File-system expansion should be gated by authorization checks and restricted to safe paths.
References
- https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-23897
- https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/
- https://github.com/jenkinsci/jenkins/commit/554f03782057c499c49bbb06575f0d28b5200edb
- https://github.com/jenkinsci/jenkins
- https://www.jenkins.io/changelog-stable/#v2.440.1
- http://www.openwall.com/lists/oss-security/2024/01/24/6
- https://www.vicarius.io/vsociety/posts/the-anatomy-of-a-jenkins-vulnerability-cve-2024-23897-revealed-1
Frequently asked questions
- What is CVE-2024-23897?
- Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.
- How severe is CVE-2024-23897?
- CVE-2024-23897 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2024-23897 being actively exploited?
- Yes. CVE-2024-23897 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2024-08-19, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2024-23897?
- CVE-2024-23897 primarily affects Jenkins. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2024-23897?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2024-23897 have an EU (EUVD) identifier?
- Yes. CVE-2024-23897 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-0270. It is also flagged as exploited in the EUVD (since 2024-08-19).
- When was CVE-2024-23897 published?
- CVE-2024-23897 was published on 2024-01-24 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/176839/Jenkins-2.441-LTS-2.426.3-CVE-2024-23897-Scanner.html
- http://packetstormsecurity.com/files/176840/Jenkins-2.441-LTS-2.426.3-Arbitrary-File-Read.html
- http://www.openwall.com/lists/oss-security/2024/01/24/6
- https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314
- https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/
- https://www.vicarius.io/vsociety/posts/the-anatomy-of-a-jenkins-vulnerability-cve-2024-23897-revealed-1
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-23897
Affected products (2)
- cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*
- cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*
More vulnerabilities in Jenkins
- CVE-2021-21696 — Critical (CVSS 9.8): Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not limit agent read/write access to the libs/ directory inside…
- CVE-2021-21694 — Critical (CVSS 9.8): FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not…
- CVE-2021-21693 — Critical (CVSS 9.8): When creating temporary files, agent-to-controller access to create those files is only checked after they've been…
- CVE-2021-21692 — Critical (CVSS 9.8): FilePath#renameTo and FilePath#moveAllChildrenTo in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier only check…
- CVE-2021-21691 — Critical (CVSS 9.8): Creating symbolic links is possible without the 'symlink' agent-to-controller access control permission in Jenkins…
- CVE-2021-21690 — Critical (CVSS 9.8): Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path…
Other CWE-22 (Path Traversal) vulnerabilities
- CVE-2026-48282 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted…
- CVE-2026-54917 — Critical (CVSS 10.0): SeaweedFS is a distributed storage system for object storage (S3), file systems, and Iceberg tables. Prior to 4.30, the…
- CVE-2026-11429 — Critical (CVSS 10.0): Two endpoints in the Vault Service ScriptsController, shared by Altium Enterprise Server and Altium 365, accept file…
- CVE-2026-34909 — Critical (CVSS 10.0): A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to…
- CVE-2026-7411 — Critical (CVSS 10.0): In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel…
- CVE-2026-36767 — Critical (CVSS 10.0): A path traversal vulnerability in the /content/images/add endpoint of shopizer v3.2.5 allows attackers write arbitrary…
Browse all CWE-22 (Path Traversal) vulnerabilities →
Threat intelligence
Threat-intel indicators referencing this CVE:
- 36.134.126.74 (ipv4-addr)
- 46.99.188.194 (ipv4-addr)