CVE-2024-23897

CVE Database · CVE-2024-23897

CVE-2024-23897

· CRITICALAnalyzed

CVSS v3.1

9.8

EPSS

100.00%

Published

Jan 24, 2024

Modified

Oct 24, 2025

CISA Known Exploited Vulnerability

Added: 2024-08-19 · Due: 2024-09-09

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Public PoC / Exploit (10)

All weaponized →

Exploit-DBJenkins 2.441 - Local File Inclusion TrickestTrickest PoC index GitHub PoCh4x0r-dz/CVE-2024-23897★204 GitHub PoCbinganao/CVE-2024-23897★99 GitHub PoCwjlin0/CVE-2024-23897★86 GitHub PoCxaitax/CVE-2024-23897★80 GitHub PoCgodylockz/CVE-2024-23897★40 GitHub PoCkaanatmacaa/CVE-2024-23897★22 GitHub PoCVozec/CVE-2024-23897★17 GitHub PoCP4x1s/CVE-2024-23897★15

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-22CWE-27

Affected Products (2)

jenkins · jenkins (up to 2.426.3)vulnerable

jenkins · jenkins (up to 2.442)vulnerable

References (12)

http://packetstormsecurity.com/files/176839/Jenkins-2.441-LTS-2.426.3-CVE-2024-23897-Scanner.html

Third Party AdvisoryVDB Entry

http://packetstormsecurity.com/files/176840/Jenkins-2.441-LTS-2.426.3-Arbitrary-File-Read.html

ExploitThird Party AdvisoryVDB Entry