CVE-2024-23897

CVE-2024-23897 is a critical-severity vulnerability in Jenkins with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2024-08-19). The underlying weakness is classified as CWE-22.

Key facts

Description

Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.

CVE-2024-23897: Jenkins CLI Arbitrary File Read via Argument Expansion

AI-generated analysis based on the vulnerability data on this page.

Field Value
CVE CVE-2024-23897
CVSS 3.1 9.8 (Critical) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE CWE-22: Improper Limitation of a Pathname to a Restricted Directory
EPSS 0.99999 (percentile 0.99995)
KEV Yes — added 2024-08-19; EU exploited since 2024-08-19
Affected Jenkins ≤ 2.441 (weekly), Jenkins LTS ≤ 2.426.2
Patched Jenkins 2.442 (weekly), Jenkins LTS 2.426.3

Summary

Jenkins 2.441 and earlier, and LTS 2.426.2 and earlier, does not disable a feature of its CLI command parser that replaces an @ character followed by a file path in an argument with the file's contents. This allows unauthenticated remote attackers to read arbitrary files on the Jenkins controller file system, including sensitive credentials and configuration files.

Background

Jenkins provides a command-line interface (CLI) for administrative and operational tasks. The CLI parser supports argument expansion: when an argument starts with @, the parser treats the remainder as a file path and substitutes the file's contents into the argument list. This feature is intended for local scripting convenience but is exposed to remote, unauthenticated users when the CLI is enabled over remoting or HTTP. Because Jenkins does not restrict this expansion to authenticated sessions or disable it by default, it becomes a vehicle for unauthenticated path traversal.

Root Cause

CWE-22: Improper Limitation of a Pathname to a Restricted Directory.

The Jenkins CLI argument parser performs file-content expansion without validating the caller's authorization to read the requested path. The expansion occurs before access-control checks that would otherwise gate CLI command execution, and the parser accepts absolute paths and directory traversal sequences (e.g., ../../../etc/passwd). Because the parser runs on the Jenkins controller with the controller's file-system privileges, an attacker can read any file the controller process can access.

Impact

The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H maps to a Critical score of 9.8.

  • Confidentiality: HIGH — Arbitrary file read exposes credentials.xml, config.xml, secret keys, and build logs.
  • Integrity: HIGH — File contents can include secrets that enable further compromise (e.g., SSH keys, API tokens).
  • Availability: HIGH — While direct disruption is not the primary mechanism, stolen credentials can be leveraged for destructive follow-on actions.

This vulnerability is actively exploited in the wild: CISA added it to the Known Exploited Vulnerabilities (KEV) catalog on 2024-08-19, and the EU vulnerability database (EUVD-2024-0270) also lists it as exploited. The EPSS score of 0.99999 indicates near-universal probability of exploitation within 30 days.

Exploitation Walkthrough

Ethics caveat: This description is provided for defensive awareness only. Do not test against systems you do not own or have explicit permission to assess.

  1. An attacker sends a Jenkins CLI command over the remoting channel or HTTP endpoint.
  2. In place of a normal string argument, the attacker supplies @/etc/passwd or @../../secrets/master.key.
  3. The CLI parser reads the referenced file from the controller's local file system and substitutes its contents into the argument.
  4. The command's output or error message leaks the file contents back to the attacker.

Because the attack is unauthenticated and network-reachable, it can be automated at scale.

Affected and Patched Versions

Track Affected Patched
Weekly ≤ 2.441 2.442
LTS ≤ 2.426.2 2.426.3

Maven package org.jenkins-ci.main:jenkins-core versions ≥ 1.606 and < 2.426.3 are also affected.

Remediation

  1. Upgrade immediately to Jenkins 2.442 (weekly) or Jenkins LTS 2.426.3 or later. These releases disable the dangerous argument expansion by default.
  2. Disable CLI remoting if not required, or restrict CLI access to trusted administrative hosts via network segmentation.
  3. Rotate secrets — if you ran an affected version, assume credentials.xml, secrets/master.key, and other sensitive files were exposed. Rotate all Jenkins-stored credentials and review access logs for anomalous CLI activity.
  4. Compensating controls until patched: place Jenkins behind a reverse proxy or VPN that blocks unauthenticated CLI access, and enforce IP allowlisting for administrative endpoints.

Detection

  • Monitor Jenkins access logs for CLI requests containing arguments that start with @ followed by path-like strings.
  • Review controller file-system audit logs for unexpected file reads by the Jenkins process.
  • Correlate Jenkins CLI endpoint access with your SIEM; look for repeated, anomalous CLI connections from new or external source IPs.
  • Check for unauthorized downloads of credentials.xml, config.xml, or files under $JENKINS_HOME/secrets.

Assessment

CVE-2024-23897 is a textbook example of a convenience feature (argument expansion) becoming a critical attack surface. With a CVSS 9.8, EPSS 0.99999, and confirmed in-the-wild exploitation, this should be treated as an emergency patch for any internet-facing Jenkins instance.

Key lessons:

  1. Disable by default, enable explicitly. Features that interact with the local file system should require explicit opt-in, especially on remote interfaces.
  2. Input validation before expansion. File-system expansion should be gated by authorization checks and restricted to safe paths.

References

Frequently asked questions

What is CVE-2024-23897?
Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.
How severe is CVE-2024-23897?
CVE-2024-23897 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2024-23897 being actively exploited?
Yes. CVE-2024-23897 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2024-08-19, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2024-23897?
CVE-2024-23897 primarily affects Jenkins. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2024-23897?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2024-23897 have an EU (EUVD) identifier?
Yes. CVE-2024-23897 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-0270. It is also flagged as exploited in the EUVD (since 2024-08-19).
When was CVE-2024-23897 published?
CVE-2024-23897 was published on 2024-01-24 and last updated on 2026-06-17.

References

Affected products (2)

More vulnerabilities in Jenkins

All CVEs affecting Jenkins →

Other CWE-22 (Path Traversal) vulnerabilities

Browse all CWE-22 (Path Traversal) vulnerabilities →

Threat intelligence

Threat-intel indicators referencing this CVE: