Jenkins 2.441 and previous versions, LTS 2.426.2 and previous versions does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated malicious users to read arbitrary files on the Jenkins controller file system.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
jenkins jenkins |
Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources Multiple publicly available exploits have since been published for the critical flaw
The number of public-facing installs of Jenkins servers vulnerable to a recently disclosed critical vulnerability is in the tens of thousands. Scans from internet security data company Shadowserver indicate roughly 45,000 instances of the hugely popular CI/CD automation server are vulnerable to CVE-2024-23897, the critical flaw disclosed on January 24. The vast majority of exposures are contained to the US and China, with 15,806 and 11,955 vulnerable servers respectively. Trailing them are India...