CVE-2024-23897

Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*
cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*

History

20 Aug 2024, 13:34

Type Values Removed Values Added
CWE NVD-CWE-noinfo CWE-22
References () https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/ - () https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/ - Exploit, Press/Media Coverage

19 Aug 2024, 16:35

Type Values Removed Values Added
CWE CWE-27

14 May 2024, 15:01

Type Values Removed Values Added
References
  • () https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/ -

07 Mar 2024, 17:47

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 7.5
v2 : unknown
v3 : 9.8
References () http://packetstormsecurity.com/files/176839/Jenkins-2.441-LTS-2.426.3-CVE-2024-23897-Scanner.html - Third Party Advisory () http://packetstormsecurity.com/files/176839/Jenkins-2.441-LTS-2.426.3-CVE-2024-23897-Scanner.html - Third Party Advisory, VDB Entry
References () http://packetstormsecurity.com/files/176840/Jenkins-2.441-LTS-2.426.3-Arbitrary-File-Read.html - Exploit, Third Party Advisory () http://packetstormsecurity.com/files/176840/Jenkins-2.441-LTS-2.426.3-Arbitrary-File-Read.html - Exploit, Third Party Advisory, VDB Entry
References () http://www.openwall.com/lists/oss-security/2024/01/24/6 - () http://www.openwall.com/lists/oss-security/2024/01/24/6 - Mailing List

29 Feb 2024, 11:15

Type Values Removed Values Added
References
  • () http://www.openwall.com/lists/oss-security/2024/01/24/6 -

31 Jan 2024, 17:13

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.5
CWE NVD-CWE-noinfo
References () http://packetstormsecurity.com/files/176840/Jenkins-2.441-LTS-2.426.3-Arbitrary-File-Read.html - () http://packetstormsecurity.com/files/176840/Jenkins-2.441-LTS-2.426.3-Arbitrary-File-Read.html - Exploit, Third Party Advisory
References () http://packetstormsecurity.com/files/176839/Jenkins-2.441-LTS-2.426.3-CVE-2024-23897-Scanner.html - () http://packetstormsecurity.com/files/176839/Jenkins-2.441-LTS-2.426.3-CVE-2024-23897-Scanner.html - Third Party Advisory
References () https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314 - () https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314 - Vendor Advisory
CPE cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*
cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*
First Time Jenkins jenkins
Jenkins

29 Jan 2024, 18:15

Type Values Removed Values Added
References
  • () http://packetstormsecurity.com/files/176840/Jenkins-2.441-LTS-2.426.3-Arbitrary-File-Read.html -
  • () http://packetstormsecurity.com/files/176839/Jenkins-2.441-LTS-2.426.3-CVE-2024-23897-Scanner.html -

25 Jan 2024, 10:15

Type Values Removed Values Added
References
  • {'url': 'http://www.openwall.com/lists/oss-security/2024/01/24/6', 'name': 'http://www.openwall.com/lists/oss-security/2024/01/24/6', 'tags': [], 'refsource': ''}

24 Jan 2024, 18:45

Type Values Removed Values Added
New CVE

Information

Published : 2024-01-24 18:15

Updated : 2024-08-20 13:34


NVD link : CVE-2024-23897

Mitre link : CVE-2024-23897

CVE.ORG link : CVE-2024-23897


JSON object : View

Products Affected

jenkins

  • jenkins
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-27

Path Traversal: 'dir/../../filename'