Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-5jqb-k5g9-6bb4
Summary
Arbitrary file read vulnerability through the Jenkins CLI can lead to RCE
Jenkins has a built-in command line interface (CLI) to access Jenkins from a script or shell environment.

Jenkins uses the args4j library to parse command arguments and options on the Jenkins controller when processing CLI commands. This command parser has a feature that replaces an @ character followed by a file path in an argument with the file’s contents (expandAtFiles). This feature is enabled by default and Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable it.

This allows attackers to read arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process.

* Attackers with Overall/Read permission can read entire files.

* Attackers without Overall/Read permission can read the first few lines of files. The number of lines that can be read depends on available CLI commands. As of publication of this advisory, the Jenkins security team has found ways to read the first three lines of files in recent releases of Jenkins without having any plugins installed, and has not identified any plugins that would increase this line count.

Binary files containing cryptographic keys used for various Jenkins features can also be read, with some limitations (see note on binary files below). As of publication, the Jenkins security team has confirmed the following possible attacks in addition to reading contents of all files with a known file path. All of them leverage attackers' ability to obtain cryptographic keys from binary files, and are therefore only applicable to instances where that is feasible.
Aliases
0
alias CVE-2024-23897
1
alias GHSA-6f9g-cxwr-q5jr
Fixed_packages
0
url pkg:maven/org.jenkins-ci.main/jenkins-core@2.426.3
purl pkg:maven/org.jenkins-ci.main/jenkins-core@2.426.3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@2.426.3
1
url pkg:maven/org.jenkins-ci.main/jenkins-core@2.440.1
purl pkg:maven/org.jenkins-ci.main/jenkins-core@2.440.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@2.440.1
2
url pkg:maven/org.jenkins-ci.main/jenkins-core@2.442
purl pkg:maven/org.jenkins-ci.main/jenkins-core@2.442
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-as34-f89r-e7ck
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@2.442
Affected_packages
0
url pkg:maven/org.jenkins-ci.main/jenkins-core@1.606
purl pkg:maven/org.jenkins-ci.main/jenkins-core@1.606
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5jqb-k5g9-6bb4
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@1.606
1
url pkg:maven/org.jenkins-ci.main/jenkins-core@2.426.2
purl pkg:maven/org.jenkins-ci.main/jenkins-core@2.426.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-26me-tpwn-7udz
1
vulnerability VCID-5jqb-k5g9-6bb4
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@2.426.2
2
url pkg:maven/org.jenkins-ci.main/jenkins-core@2.427
purl pkg:maven/org.jenkins-ci.main/jenkins-core@2.427
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-26me-tpwn-7udz
1
vulnerability VCID-5781-s1ny-q7ey
2
vulnerability VCID-5jqb-k5g9-6bb4
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@2.427
3
url pkg:maven/org.jenkins-ci.main/jenkins-core@2.441
purl pkg:maven/org.jenkins-ci.main/jenkins-core@2.441
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-26me-tpwn-7udz
1
vulnerability VCID-5jqb-k5g9-6bb4
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@2.441
4
url pkg:rpm/redhat/jenkins@2.426.3.1706515686-3?arch=el8
purl pkg:rpm/redhat/jenkins@2.426.3.1706515686-3?arch=el8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-26me-tpwn-7udz
1
vulnerability VCID-432r-ukuw-4bgt
2
vulnerability VCID-5jqb-k5g9-6bb4
3
vulnerability VCID-6925-fwf4-f7df
4
vulnerability VCID-9tg6-2h2y-abah
5
vulnerability VCID-9xw3-4a4u-hbbb
6
vulnerability VCID-as38-uuy9-5qhu
7
vulnerability VCID-fnpa-1sqy-u7hw
8
vulnerability VCID-q3k2-1x5q-buhy
9
vulnerability VCID-y3mv-vmwd-tydt
10
vulnerability VCID-z3th-j593-m7bg
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/jenkins@2.426.3.1706515686-3%3Farch=el8
5
url pkg:rpm/redhat/jenkins@2.426.3.1706516254-3?arch=el8
purl pkg:rpm/redhat/jenkins@2.426.3.1706516254-3?arch=el8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-26me-tpwn-7udz
1
vulnerability VCID-5jqb-k5g9-6bb4
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/jenkins@2.426.3.1706516254-3%3Farch=el8
6
url pkg:rpm/redhat/jenkins@2.426.3.1706516929-3?arch=el8
purl pkg:rpm/redhat/jenkins@2.426.3.1706516929-3?arch=el8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-26me-tpwn-7udz
1
vulnerability VCID-432r-ukuw-4bgt
2
vulnerability VCID-5jqb-k5g9-6bb4
3
vulnerability VCID-6925-fwf4-f7df
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/jenkins@2.426.3.1706516929-3%3Farch=el8
References
0
reference_url http://packetstormsecurity.com/files/176839/Jenkins-2.441-LTS-2.426.3-CVE-2024-23897-Scanner.html
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H
1
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
2
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A
3
value CRITICAL
scoring_system generic_textual
scoring_elements
4
value Act
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2024-08-19T15:35:31Z/
url http://packetstormsecurity.com/files/176839/Jenkins-2.441-LTS-2.426.3-CVE-2024-23897-Scanner.html
1
reference_url http://packetstormsecurity.com/files/176840/Jenkins-2.441-LTS-2.426.3-Arbitrary-File-Read.html
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H
2
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A
3
value CRITICAL
scoring_system generic_textual
scoring_elements
4
value Act
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2024-08-19T15:35:31Z/
url http://packetstormsecurity.com/files/176840/Jenkins-2.441-LTS-2.426.3-Arbitrary-File-Read.html
2
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-23897.json
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-23897.json
3
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-23897
reference_id
reference_type
scores
0
value 0.94466
scoring_system epss
scoring_elements 0.99996
published_at 2026-04-18T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-23897
4
reference_url https://github.com/jenkinsci/jenkins
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/jenkinsci/jenkins
5
reference_url https://github.com/jenkinsci/jenkins/commit/554f03782057c499c49bbb06575f0d28b5200edb
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/jenkinsci/jenkins/commit/554f03782057c499c49bbb06575f0d28b5200edb
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-23897
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-23897
7
reference_url https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-23897
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-23897
8
reference_url https://www.jenkins.io/changelog-stable/#v2.440.1
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://www.jenkins.io/changelog-stable/#v2.440.1
9
reference_url https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H
2
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A
3
value CRITICAL
scoring_system generic_textual
scoring_elements
4
value Act
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2024-08-19T15:35:31Z/
url https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314
10
reference_url https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins
11
reference_url https://www.vicarius.io/vsociety/posts/the-anatomy-of-a-jenkins-vulnerability-cve-2024-23897-revealed-1
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://www.vicarius.io/vsociety/posts/the-anatomy-of-a-jenkins-vulnerability-cve-2024-23897-revealed-1
12
reference_url http://www.openwall.com/lists/oss-security/2024/01/24/6
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H
1
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
2
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A
3
value CRITICAL
scoring_system generic_textual
scoring_elements
4
value Act
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2024-08-19T15:35:31Z/
url http://www.openwall.com/lists/oss-security/2024/01/24/6
13
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2260180
reference_id 2260180
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2260180
14
reference_url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/java/webapps/51993.py
reference_id CVE-2024-23897
reference_type exploit
scores
url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/java/webapps/51993.py
15
reference_url https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/
reference_id excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value Act
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2024-08-19T15:35:31Z/
url https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/
16
reference_url https://github.com/advisories/GHSA-6f9g-cxwr-q5jr
reference_id GHSA-6f9g-cxwr-q5jr
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-6f9g-cxwr-q5jr
17
reference_url https://access.redhat.com/errata/RHSA-2024:0775
reference_id RHSA-2024:0775
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:0775
18
reference_url https://access.redhat.com/errata/RHSA-2024:0776
reference_id RHSA-2024:0776
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:0776
19
reference_url https://access.redhat.com/errata/RHSA-2024:0778
reference_id RHSA-2024:0778
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:0778
Weaknesses
0
cwe_id 22
name Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
description The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
1
cwe_id 27
name Path Traversal: 'dir/../../filename'
description The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize multiple internal ../ sequences that can resolve to a location that is outside of that directory.
2
cwe_id 937
name OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
3
cwe_id 1035
name OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
4
cwe_id 88
name Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
description The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.
Exploits
0
date_added 2024-04-15
description Jenkins 2.441 - Local File Inclusion
required_action null
due_date null
notes null
known_ransomware_campaign_use false
source_date_published 2024-04-15
exploit_type webapps
platform java
source_date_updated 2024-04-15
data_source Exploit-DB
source_url
1
date_added null
description 
This module utilizes the Jenkins cli protocol to run the `help` command.
          The cli is accessible with read-only permissions by default, which are
          all thats required.

          Jenkins cli utilizes `args4j's` `parseArgument`, which calls `expandAtFiles` to
          replace any `@<filename>` with the contents of a file. We are then able to retrieve
          the error message to read up to the first two lines of a file.

          Exploitation by hand can be done with the cli, see markdown documents for additional
          instructions.

          There are a few exploitation oddities:
          1. The injection point for the `help` command requires 2 input arguments.
          When the `expandAtFiles` is called, each line of the `FILE_PATH` becomes an input argument.
          If a file only contains one line, it will throw an error: `ERROR: You must authenticate to access this Jenkins.`
          However, we can pad out the content by supplying a first argument.
          2. There is a strange timing requirement where the `download` (or first) request must get
          to the server first, but the `upload` (or second) request must be very close behind it.
          From testing against the docker image, it was found values between `.01` and `1.9` were
          viable. Due to the round trip time of the first request and response happening before
          request 2 would be received, it is necessary to use threading to ensure the requests
          happen within rapid succession.

          Files of value:
          * /var/jenkins_home/secret.key
          * /var/jenkins_home/secrets/master.key
          * /var/jenkins_home/secrets/initialAdminPassword
          * /etc/passwd
          * /etc/shadow
          * Project secrets and credentials
          * Source code, build artifacts
required_action null
due_date null
notes 
Stability:
  - crash-safe
Reliability: []
SideEffects: []
known_ransomware_campaign_use false
source_date_published 2024-01-24
exploit_type null
platform
source_date_updated null
data_source Metasploit
source_url https://github.com/rapid7/metasploit-framework/tree/master/modules/auxiliary/gather/jenkins_cli_ampersand_arbitrary_file_read.rb
2
date_added 2024-08-19
description Jenkins Command Line Interface (CLI) contains a path traversal vulnerability that allows attackers limited read access to certain files, which can lead to code execution.
required_action Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
due_date 2024-09-09
notes https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314; https://nvd.nist.gov/vuln/detail/CVE-2024-23897
known_ransomware_campaign_use true
source_date_published null
exploit_type null
platform null
source_date_updated null
data_source KEV
source_url null
Severity_range_score9.0 - 10.0
Exploitability2.0
Weighted_severity9.0
Risk_score10.0
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-5jqb-k5g9-6bb4