Summary
CVE-2024-23897 was a critical arbitrary file read vulnerability in the Jenkins automation server, identified by Sonar's Vulnerability Research and disclosed in the Jenkins security advisory on January 24, 2024, affecting Jenkins weekly up to 2.441 and LTS up to 2.426.2. Jenkins parses built-in CLI command arguments with the args4j library, whose expandAtFiles feature is enabled by default and replaces an argument that begins with an @ character followed by a file path with the contents of that file; because Jenkins never disabled this, an attacker could pass @/path/to/file as a CLI argument to make the controller read and disclose files from its filesystem. Unauthenticated attackers could read the first few lines of arbitrary files, while attackers with Overall/Read permission could read entire files, enabling theft of secrets, SSH keys, and credentials. The leaked binary secret keys could then be chained into full remote code execution by forging Remember-me cookies, abusing Resource Root URLs, bypassing CSRF protection, or decrypting stored secrets. The flaw was added to the CISA KEV catalog on August 19, 2024 and was actively exploited, including by the RansomEXX ransomware gang and the actor IntelBroker, and was linked to breaches at BORN Group and Brontoo Technology Solutions.
How to avoid it in your code
- Patch to Jenkins weekly 2.442 or LTS 2.426.3 / 2.440.1 or later immediately.
- Disable CLI access as a temporary workaround if patching is not possible.
- Do not expose the Jenkins controller to the internet; restrict it to trusted networks.
- Rotate all secrets, SSH keys, and credentials that were readable on the controller.
- Apply least privilege to Jenkins accounts and monitor for anomalous CLI activity.
References
Related vulnerabilities
All Supply chain →- HIGHGHSA-CHM7-4VCH-H8VR
TYPO3 CMS has Broken Access Control in its Media Module
- HIGHSC-ARGOCD-2022
CVE-2022-24348 was a high-severity (CVSS 7.7) path traversal vulnerability in Argo CD, the GitOps continuous delivery tool for Kubernetes, discovered by Apiiro and disclosed in early February 2022, affecting Argo CD before 2.1.9 and 2.2.x before 2.2.4. An attacker with permission to create or update Argo CD applications could craft a malicious Kubernetes Helm chart whose values file was a symbolic link pointing outside the repository root, or pass arbitrary values files, so that when Argo CD's Helm chart processing dereferenced the link it read files belonging to other applications on the repo server. This broke the multi-tenant isolation boundary of the CD layer, letting the attacker exfiltrate sensitive data from neighboring tenants, including secrets in encrypted value files decrypted to disk by plugins such as git-crypt or SOPS, and use verbose Helm error messages to enumerate the filesystem. The issue was fixed in Argo CD 2.1.9, 2.2.4, and 2.3.0; it was treated as a zero-day at disclosure but was not associated with named ransomware operators.
- CRITICALGHSA-X223-P2GF-V735
Langflow: Unauthenticated file upload leads to DoS (space exhaustion) and information leak
- HIGHGHSA-R4GV-QR8J-P3PG
handlebars.java FileTemplateLoader Path Traversal
- MEDIUMGHSA-FG94-H982-F3MM
Claude Code: Out-of-Band Data Exfiltration via Pre-Approved HuggingFace Domain in WebFetch
- HIGHGHSA-R2WG-2MCR-66RV
Open WebUI: Path traversal / SSRF in terminal server proxy via encoded path traversal