QID 150784

Date Published: 2024-02-08

QID 150784: Jenkins Arbitrary File Read Vulnerability (CVE-2024-23897)

Jenkins is an open source automation server. It helps automate the parts of software development related to building, testing, and deploying, facilitating continuous integration, and continuous delivery.

Jenkins uses the args4j library to parse command arguments and options on the Jenkins controller when processing CLI commands. This command parser has a feature that replaces an '@' character followed by a file path in an argument with the files contents (expandAtFiles). This feature is enabled by default and Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable it.
This allows attackers to read arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process.

Affected Versions:
Jenkins weekly up to and including 2.441.
Jenkins LTS up to and including LTS 2.426.2.

QID Detection Logic (Unauthenticated):
This QID detects vulnerable versions of Jenkins core from the HTTP response header.

Successful exploitation of this vulnerability could allow an unauthorized attacker to read arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process.

  • CVSS V3 rated as High - 7.5 severity.
  • CVSS V2 rated as High - 7.8 severity.
    • Solution
    Customers are advised to upgrade to latest Jenkins version. For more information regarding this vulnerability please refer SECURITY-3314 Jenkins Security Advisory 2024-01-24
    Vendor References

    CVEs related to QID 150784

    CVE-2024-23897 |
    Software Advisories
    Advisory ID Software Component Link
    SECURITY-3314 URL Logo www.jenkins.io/security/advisory/2024-01-24/
    By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].