Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.
References
Link | Resource |
---|---|
http://packetstormsecurity.com/files/176839/Jenkins-2.441-LTS-2.426.3-CVE-2024-23897-Scanner.html | Third Party Advisory VDB Entry |
http://packetstormsecurity.com/files/176840/Jenkins-2.441-LTS-2.426.3-Arbitrary-File-Read.html | Exploit Third Party Advisory VDB Entry |
http://www.openwall.com/lists/oss-security/2024/01/24/6 | Mailing List |
https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314 | Vendor Advisory |
https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/ | Exploit Press/Media Coverage |
Configurations
Configuration 1 (hide)
|
History
20 Aug 2024, 13:34
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-22 | |
References | () https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/ - Exploit, Press/Media Coverage |
19 Aug 2024, 16:35
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-27 |
14 May 2024, 15:01
Type | Values Removed | Values Added |
---|---|---|
References |
|
07 Mar 2024, 17:47
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
References | () http://packetstormsecurity.com/files/176839/Jenkins-2.441-LTS-2.426.3-CVE-2024-23897-Scanner.html - Third Party Advisory, VDB Entry | |
References | () http://packetstormsecurity.com/files/176840/Jenkins-2.441-LTS-2.426.3-Arbitrary-File-Read.html - Exploit, Third Party Advisory, VDB Entry | |
References | () http://www.openwall.com/lists/oss-security/2024/01/24/6 - Mailing List |
29 Feb 2024, 11:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
31 Jan 2024, 17:13
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
CWE | NVD-CWE-noinfo | |
References | () http://packetstormsecurity.com/files/176840/Jenkins-2.441-LTS-2.426.3-Arbitrary-File-Read.html - Exploit, Third Party Advisory | |
References | () http://packetstormsecurity.com/files/176839/Jenkins-2.441-LTS-2.426.3-CVE-2024-23897-Scanner.html - Third Party Advisory | |
References | () https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314 - Vendor Advisory | |
CPE | cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:* cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:* |
|
First Time |
Jenkins jenkins
Jenkins |
29 Jan 2024, 18:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
25 Jan 2024, 10:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
24 Jan 2024, 18:45
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-01-24 18:15
Updated : 2024-08-20 13:34
NVD link : CVE-2024-23897
Mitre link : CVE-2024-23897
CVE.ORG link : CVE-2024-23897
JSON object : View
Products Affected
jenkins
- jenkins