Critical severityCISA KEVNVD Advisory· Published Jan 24, 2024· Updated Oct 21, 2025
CVE-2024-23897
CVE-2024-23897
Description
Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.main:jenkins-coreMaven | >= 1.606, < 2.426.3 | 2.426.3 |
org.jenkins-ci.main:jenkins-coreMaven | >= 2.427, < 2.440.1 | 2.440.1 |
org.jenkins-ci.main:jenkins-coreMaven | >= 2.441, < 2.442 | 2.442 |
Affected products
10- osv-coords9 versionspkg:apk/chainguard/jenkinspkg:apk/chainguard/jenkins-2.440pkg:apk/chainguard/jenkins-compatpkg:apk/chainguard/jenkins-remotingpkg:apk/wolfi/jenkinspkg:apk/wolfi/jenkins-compatpkg:apk/wolfi/jenkins-remotingpkg:bitnami/jenkinspkg:maven/org.jenkins-ci.main/jenkins-core
< 2.442-r0+ 8 more
- (no CPE)range: < 2.442-r0
- (no CPE)range: < 0
- (no CPE)range: < 2.442-r0
- (no CPE)range: < 2.442-r0
- (no CPE)range: < 2.442-r0
- (no CPE)range: < 2.442-r0
- (no CPE)range: < 2.442-r0
- (no CPE)range: < 2.452.1
- (no CPE)range: >= 1.606, < 2.426.3
- Range: 0
Patches
Vulnerability mechanics
References
12- github.com/advisories/GHSA-6f9g-cxwr-q5jrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-23897ghsaADVISORY
- www.jenkins.io/security/advisory/2024-01-24/ghsavendor-advisoryWEB
- packetstormsecurity.com/files/176839/Jenkins-2.441-LTS-2.426.3-CVE-2024-23897-Scanner.htmlghsaWEB
- packetstormsecurity.com/files/176840/Jenkins-2.441-LTS-2.426.3-Arbitrary-File-Read.htmlghsaWEB
- www.openwall.com/lists/oss-security/2024/01/24/6ghsaWEB
- github.com/jenkinsci/jenkins/commit/554f03782057c499c49bbb06575f0d28b5200edbghsaWEB
- www.cisa.gov/known-exploited-vulnerabilities-catalogghsaWEB
- www.jenkins.io/changelog-stable/ghsaWEB
- www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkinsghsaWEB
- www.vicarius.io/vsociety/posts/the-anatomy-of-a-jenkins-vulnerability-cve-2024-23897-revealed-1ghsaWEB
- www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/mitre
News mentions
1- Jenkins Security Advisory 2024-01-24Jenkins Security Advisories · Jan 24, 2024