QwikSec

Security Database

CVE

CWE

Training

CVE-2024-23897

Published: Jan 24, 2024

Modified: Oct 21, 2025

PUBLISHED

Description

Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.

Vendor	Product	Versions
Jenkins Project	Jenkins	unaffected `0 - < 1.606` unaffected `2.442 - < ` unaffected `2.426.3 - < 2.426.` unaffected `2.440.1 - < 2.440.*`

References

Jenkins Security Advisory 2024-01-24

vendor-advisory

https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/

http://www.openwall.com/lists/oss-security/2024/01/24/6

http://packetstormsecurity.com/files/176839/Jenkins-2.441-LTS-2.426.3-CVE-2024-23897-Scanner.html

http://packetstormsecurity.com/files/176840/Jenkins-2.441-LTS-2.426.3-Arbitrary-File-Read.html

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.