CVE-2024-23897

Published Jan 24, 2024

Last updated 8 months ago

Exploit knownCVSS critical 9.8
web application

Overview

Description
Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.
Source
jenkinsci-cert@googlegroups.com
NVD status
Analyzed
Products
jenkins

Risk scores

CVSS 3.1

Type
Primary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Known exploits

Data from CISA

Vulnerability name
Jenkins Command Line Interface (CLI) Path Traversal Vulnerability
Exploit added on
Aug 19, 2024
Exploit action due
Sep 9, 2024
Required action
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Weaknesses

nvd@nist.gov
CWE-22
134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-27

Social media

Hype score
Not currently trending

  1. Jenkins has disclosed a critical RCE vulnerability (CVE-2024-23897) affecting its CLI with a CVSS score of 9.8. #Cybersecurity #Jenkins #RCE #CVE2024 #DevOps #AppSec #Vulnerability https://t.co/9Uw1UEDJYS

    @defhawk_specter

    29 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. A new AI review! gquere/pwn_jenkins ⭐3.1/5.0 pwn_jenkins is a small, pragmatic offensive-security toolkit focused on Jenkins exploitation and post-exploitation: leveraging known CVEs (notably CVE-2024-23897), dumping build logs/env vars ... https://t.co/OegCjyNwn5

    @GitRated

    20 May 2026

    1 Impression

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. CVE-2024-23897. CVE-2024-23897: Jenkins CLI Arbitrary File Read via args4j @ Expansion

    @lyrie_ai

    29 Apr 2026

    19 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  4. 🎯 DIB Threat Briefing — March 20, 2026 1560 CVEs tracked • 25 threat actors • 14 sectors **Top DIB Targets:** • APT28 (Russia) — Defense Industrial Base + Aerospace (CVE-2024-23897, CVE-2024-1709) • APT29 (Russia) — Energy + Govt overlap (CVE-2024-3400, CVE-202

    @DeusLogica

    20 Mar 2026

    41 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. Intel Report [CRITICAL] - Multiple critical vulnerabilities affecting Jenkins automation servers pose severe risks to CI/CD infrastructure worldwide. The most well-documented vulnerability, CVE-2024-23897 (CVSS 9.8), is an arbitrary file read flaw in... https://t.co/pzwBqVJDR6

    @EnigmaGlobalSW

    20 Mar 2026

    2 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. Cytellite recent detection targeting CVE-2024-23897 — Stiftung Erneuerbare Freiheit Visit -- https://t.co/Np23qyJLly #Loginsoft #Cytellite #Cybersecurity #CVE202423897 #LOVI #ThreatIntelligence #Infosecurity #AI https://t.co/wmwkMMngoP

    @Loginsoft_Intel

    11 Feb 2026

    45 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. Cytellite recent detection targeting CVE-2024-23897 — Stiftung Erneuerbare Freiheit Visit -- https://t.co/Np23qyJLly #Loginsoft #Cytellite #Cybersecurity #CVE202423897 #LOVI #ThreatIntelligence #Infosecurity #AI https://t.co/hkVEAvx3Qk

    @Loginsoft_Intel

    11 Feb 2026

    37 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. 📷 In-depth guide for Jenkins penetration testing. From CVE-2024-23897 exploits to plugin RCEs, Script Console abuse, and hardening best practices - everything you need to test (and secure) your CI/CD pipeline. https://t.co/2OGXIxAkmz #PenTest #CyberSecurity

    @funofcyber31337

    4 Dec 2025

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. A multi-stage AWS compromise exploited CVE-2024-23897 on Jenkins, deploying a malicious Docker image that installed LinkPro, an eBPF Linux rootkit activating via a specific magic packet. #LinuxRootkit #AWSAttack #France https://t.co/k7iPABdVq3

    @TweetThreatNews

    18 Oct 2025

    161 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. An ninh mạng tháng 02/2025: Lỗ hổng và sự kiện nổi bật Bản tin tháng 02/2025 từ FPT Cloud tổng hợp các lỗ hổng bảo mật nghiêm trọng như CVE-2024-23897, CVE-2024-21762... Đọc chi tiết: https://t.co/Xc6CCjEF8m #fptcloud #cloud_sever_fpt #A

    @fptcloud1

    18 May 2025

    3 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. Critical Vulnerability in Jenkins: Arbitrary File Read Leading to Remote Code Execution (RCE) via CVE-2024-23897 A critical vulnerability has been identified in Jenkins, enabling attackers to execute arbitrary code (RCE) on affected systems by exploiting a flaw in the https://

    @CyberPentestLab

    22 Mar 2025

    121 Impressions

    0 Retweets

    7 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. Bitsight TRACE researchers tackled CVE-2024-23897 with a systematic, non-intrusive detection method—going beyond version checks to confirm vulnerabilities with confidence. Cybersecurity research done right. Read more: https://t.co/9gSdmCsTN4 #BitsightTRACE #ThreatIntel https:/

    @Bitsight

    4 Feb 2025

    15 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  13. The CVE-2024-23897 vulnerability is interesting, I was testing it. 💻🤖👾 https://t.co/ErLdQrhP6j

    @Hack32_

    17 Jan 2025

    105 Impressions

    0 Retweets

    6 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  14. Exploiting Jenkins + CVE-2024-23897 https://t.co/gvvYybKj9C https://t.co/33lMTtbjXs

    @jaacostan

    7 Jan 2025

    17 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  15. How do attackers exploit Jenkins CVE-2024-23897? Using tools like Shodan and CLI, they target outdated systems. Learn how to defend your infrastructure: https://t.co/U7lsLMTi5l #Jenkins #vulnerability https://t.co/tS9Lqj6p7a

    @FireCompass

    6 Dec 2024

    15 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  16. Critical alert for Jenkins users! CVE-2024-23897, a dangerous RCE flaw, allows attackers to access sensitive files on your servers. Stay informed, stay secure. Learn more: https://t.co/U7lsLMTPUT #Jenkins #cybersecurityawareness https://t.co/I7zYkENHtX

    @FireCompass

    2 Dec 2024

    37 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  17. https://t.co/gmlyMf3MhG Jenkins-Args4j-CVE-2024-23897-POC #github #exploit

    @ksg93rd

    11 Nov 2024

    119 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not encrypt secrets from POST config.xml submissions before storing them in job configurations unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission, or access to the Jenkins controller file system.CVE-2026-53442
  2. Jenkins 2.483 through 2.567 (both inclusive), LTS 2.492.1 through 2.555.2 (both inclusive) does not escape the user-provided description of a generic offline cause that could be set through the `POST config.xml` API, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.CVE-2026-53441
  3. Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not ensure that the "from" parameter in the "Delegate to servlet container" security realm is safe to redirect to after login, allowing attackers to perform phishing attacks by redirecting users to an attacker-controlled domain.CVE-2026-53440
  4. A missing permission check in Jenkins 2.567 and earlier, LTS 2.555.2 and earlier allows attackers with Item/Cancel permission, but lacking Item/Read permission, to cancel queue items they do not have permission to view.CVE-2026-53438
  5. In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined in Jenkins core or plugins from an attacker-controlled `config.xml` submission in a way that allows them to handle HTTP requests afterwards. This can be used to impersonate any user and send HTTP requests on their behalf, up to and including use of the Script Console to run arbitrary code, or to read arbitrary files from the Jenkins controller.CVE-2026-53435

References

Sources include official advisories and independent security research.