CVE-2024-23897

CVSS 3.1 Score 9.8 of 10 (CRITICAL)

Attack Complexity

LOW

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Scope

UNCHANGED

Privileges Required

NONE

Summary

CVE-2024-23897 is a vulnerability affecting Jenkins versions 2.441 and earlier, as well as LTS 2.426.2 and earlier. This issue arises from the Jenkins CLI command parser, which fails to disable a feature that interprets an '@' symbol followed by a file path in an argument as a file, leading unauthenticated attackers to read arbitrary files directly from the Jenkins controller file system. This poses a significant security risk, allowing potential data exposure. Jenkins users are advised to upgrade to a patched version as soon as possible to mitigate this vulnerability.

Details

Published: formatDate( 2024-01-24T18:15:09.370Z )
Updated: formatDate( 2024-12-20T17:30:33.613Z )
CWE ID: CWE-22,CWE-27

Advisories, Assessments, and Mitigations

https://app.recordedfuture.com/live/sc/entity/uQMXwR
https://www.cve.org/CVERecord?id=CVE-2024-23897
https://nvd.nist.gov/vuln/detail/CVE-2024-23897