CVE-2024-23897
Published: 24 January 2024
Summary
CVE-2024-23897 is a critical-severity Path Traversal (CWE-22) vulnerability in Jenkins Jenkins. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
Jenkins 2.441 and earlier, along with LTS 2.426.2 and earlier, contains a vulnerability in its CLI command parser. The parser fails to disable a feature that substitutes an argument beginning with '@' followed by a file path with the contents of that file on the Jenkins controller file system. This path traversal issue is tracked as CWE-22 and CWE-27 and carries a CVSS 3.1 score of 9.8.
Unauthenticated attackers can supply crafted CLI arguments over the network to read arbitrary files on the controller. Successful exploitation grants access to sensitive configuration data, credentials, and other file contents, enabling further compromise of confidentiality, integrity, and availability without any user interaction or authentication.
The Jenkins security advisory for SECURITY-3314 and related references describe the affected component and direct administrators to upgrade to patched releases. Public exploit code and scanning tools have been published, and the CVE maintains a high EPSS score with a peak of 0.9735, indicating sustained exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-0270
Vulnerability details
Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read…
more
arbitrary files on the Jenkins controller file system.
- CWE(s)
- KEV Date Added
- 19 August 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces access restrictions on the Jenkins CLI parser so that unauthenticated @file substitution cannot read arbitrary controller files.
Requires validation and sanitization of CLI arguments to disable or neutralize the @file content-substitution feature that enables the path traversal.
Limits privileges of the CLI process and parser so that even if the substitution occurs it cannot access files outside its minimal authorized scope.