CVE Radar

CVE Radar Logo
CVERadar

Edition used by more than 30,000 companies in more than 150 countries.
Sign Up For Free

CVE-2024-23897

Critical Severity|Jenkins
97
SVRS
9.8
CVSSv3
0.94466
EPSS
TAGS
In The WildExploit AvaliableCISA KEV
VECTOR STRING
CVSS:3.1AV:NAC:LPR:NUI:NS:UC:HI:HA:H
PUBLICATION DATE2024-01-24
LAST MODIFIED2025-10-21

Deep CVE Analysis in Progress

The system is currently conducting an in-depth analysis of the selected CVE. This includes advanced correlation, vulnerability classification, and cross-referencing with real-time threat intelligence sources. Once the analysis is complete, the page will automatically update with enriched vulnerability data and actionable insights.

Security Intelligence Brief

1. What is this vulnerability and why does it matter?
This vulnerability, identified as CVE-2024-23897, exists in the Jenkins CLI command parser. Specifically, a feature that replaces an '@' character followed by a file path in an argument with the file's contents is not properly disabled. This allows unauthenticated attackers to read arbitrary files from the Jenkins controller file system. This is a critical vulnerability because it grants unauthorized access to sensitive data, potentially including configuration files, credentials, and other confidential information stored on the Jenkins server, without requiring any authentication. The ability to read arbitrary files can lead to further compromise of the system.
2. What are the CVSS score, severity level, and disclosure details?
The CVSS score for CVE-2024-23897 is 9.8, which classifies it as a Critical severity vulnerability. The vulnerability was published on January 24, 2024, at 17:52:22 UTC and was last modified on October 21, 2025, at 23:05:25 UTC.
3. Which products, vendors, systems, and versions are affected?
The affected products and versions include:
  • Jenkins 2.441 and earlier versions
  • Jenkins LTS 2.426.2 and earlier versions
4. What is the technical root cause and attack vector?
The technical root cause of this vulnerability lies within the Jenkins CLI command parser. A legitimate feature designed to expand '@' followed by a file path into the contents of that file was not disabled for scenarios where it could be misused. This feature, intended perhaps for legitimate command-line argument passing, is incorrectly processed when an attacker provides a path to a sensitive file. The attack vector is through the Jenkins CLI, allowing unauthenticated attackers to supply a crafted argument containing the '@' character followed by the target file path. This vulnerability is categorized under CWE-27 (Incorrect Privilege Assignment) and CWE-22 (Path Traversal), as it allows for unauthorized file access.
5. How can this vulnerability be exploited?
This vulnerability can be exploited by an unauthenticated attacker who crafts a specific command-line argument for the Jenkins CLI. By including the '@' symbol followed by an absolute or relative path to a file on the Jenkins controller's file system, the CLI parser will automatically replace this argument with the contents of the specified file. For example, an attacker could request a command like `jenkins-cli.jar @/etc/passwd` to retrieve the contents of the `/etc/passwd` file, or `jenkins-cli.jar @/var/lib/jenkins/secrets/master.key` to access sensitive Jenkins internal files. Since no authentication is required, this makes the exploitation straightforward and highly impactful.
6. What mitigation steps and patches are available?
To mitigate this vulnerability, users should update their Jenkins instances to patched versions. Specifically, users should update to:
  • Jenkins 2.442 or later (for the weekly release line)
  • Jenkins LTS 2.426.3 or later (for the long-term support release line)
These updated versions disable the problematic feature in the CLI command parser, preventing unauthenticated file content disclosure.
7. How can vulnerable systems be detected?
Vulnerable systems can be detected by checking the installed version of Jenkins. Any Jenkins instance running version 2.441 or earlier (for the weekly release train) or Jenkins LTS 2.426.2 or earlier (for the long-term support release train) is susceptible to this vulnerability. System administrators should verify their Jenkins version numbers against the patched versions.
8. What are the indicators of compromise (IOCs)?
The provided CVE data does not explicitly list specific Indicators of Compromise (IOCs). However, potential IOCs could include:
  • Unusual access patterns or failed login attempts on the Jenkins CLI.
  • Abnormal log entries related to CLI command execution, particularly with arguments containing '@' and file paths that do not correspond to legitimate operations.
  • Unexpected file access events or errors in system logs, especially for sensitive files that should not be directly accessible via the CLI.
  • Presence of unauthorized data exfiltration or modification if the vulnerability was chained with other exploits.
Monitoring CLI activity and file access logs for suspicious patterns is recommended.
9. Which threat actors are known to exploit this vulnerability?
The CVE data indicates that active exploits have been published to exploit this vulnerability. While specific threat actors are not named, the public availability of exploits suggests that a wide range of malicious actors, from opportunistic attackers to more sophisticated groups, may be leveraging this flaw.
10. What public intelligence references and advisories exist?
The primary public intelligence reference is CVE-2024-23897 itself. Further details and advisories are typically released by the Jenkins project maintainers and cybersecurity organizations following the initial disclosure. Users should refer to the official Jenkins security advisories for the most up-to-date information regarding this vulnerability and recommended patching strategies.
11. What is the risk assessment and urgency level?
The risk assessment for CVE-2024-23897 is extremely high due to its CVSS score of 9.8 (Critical) and the nature of the vulnerability. It allows unauthenticated attackers to read arbitrary files from the Jenkins controller, which can expose highly sensitive information, including credentials, configuration data, and potentially source code. The existence of published active exploits further elevates the risk, indicating that the vulnerability is actively being targeted in the wild. The urgency level for patching and mitigation is therefore Critical. Organizations running affected Jenkins versions should immediately update to a patched version to prevent exploitation.
TypeIndicatorDate
IP
220.247.224.2262024-02-20Search on IOC Radar
IP
91.92.199.362024-03-25Search on IOC Radar
IP
76.12.128.2492024-11-08Search on IOC Radar
HOSTNAME
sangsoft.net2025-07-05Search on IOC Radar
IP
36.134.126.742021-03-03Search on IOC Radar
IP
47.121.182.362024-08-07Search on IOC Radar
IP
47.116.181.1462024-06-03Search on IOC Radar
Show All 11 IOCs
TitleSoftware LinkDate
vmc8ll/poc-CVE-2024-23897https://github.com/vmc8ll/poc-CVE-2024-238972026-03-03
wvverez/CVE-2024-23897https://github.com/wvverez/CVE-2024-238972026-01-18
aadi0258/Exploit-CVE-2024-23897https://github.com/aadi0258/Exploit-CVE-2024-238972025-10-26
brandonhjh/Jenkins-CVE-2024-23897-Exploit-Demohttps://github.com/brandonhjh/Jenkins-CVE-2024-23897-Exploit-Demo2025-03-28
Marouane133/jenkins-lfihttps://github.com/Marouane133/jenkins-lfi2025-01-02
safeer-accuknox/Jenkins-Args4j-CVE-2024-23897-POChttps://github.com/safeer-accuknox/Jenkins-Args4j-CVE-2024-23897-POC2024-11-11
zgimszhd61/CVE-2024-23897-pochttps://github.com/zgimszhd61/CVE-2024-23897-poc2024-11-01
Show All 33 Exploits
SOCRadar Logo

Enhance Your CVE Management with SOCRadar Vulnerability Intelligence

Get comprehensive CVE details, real-time notifications, and proactive threat management all in one platform.

CREATE FREE ACCOUNT
CVE Details
Access comprehensive CVE information instantly
Real-time Tracking
Subscribe to CVEs and get instant updates
Exploit Analysis
Monitor related APT groups and threats
IOC Tracking
Analyze and track CVE-related IOCs
ISC StormCast for Monday, January 29th, 2024
Dr. Johannes B. Ullrich2024-01-29
ISC StormCast for Monday, January 29th, 2024 | Daily 5 min cyber security news summary. News, patches, vulnerabilities and trends in information and network security. Batch Comments; .box TLD abuse; Jenkins CVE-2024-23897 PoC; Malicious Chinese Google AdsA Batch File With Multiple Payloads https://isc.sans.edu/diary/A%20Batch%20File%20With%20Multiple%20Payloads/30592 fritz.box domain used to advertise NFTs https://www.heise.de/news/Verwirrend-Internet-Domain-fritz-box-zeigt-NFT-Galerie-statt-Router-Verwaltung-9610149.html Jenkins CVE-2024-23897 PoC https://github.com/gquere/pwn_jenkins/blob/master/README.md#jenkins-cli-arbitrary-read-cve-2024-23897-applies-to-versions-below-2442-and-lts-24263 Malicious Google Ads Target
sans.edurssforumnews
Weekly Intelligence Report – 05 March 2026 - cyfirma
2026-03-05
Weekly Intelligence Report – 05 March 2026 - cyfirma | News Content: Published On : 2026-03-05 Ransomware of the week CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – that could be relevant to your organization. Type: Ransomware Target Technologies: Windows Target Industries: Real Estate and Retail Target Countries: Mexico, Egypt Introduction CYFIRMA Research and Advisory Team has observed Payload Ransomware while monitoring various underground forums as part of our Threat Discovery Process. Payload Ransomware Payload is a file-encrypting ransomware that appends
fintechtelecommunicationfinanceeducation
Potentielle Remote Code Execution in Jenkins - Patch verfügbar
CERT.at2025-12-01
Potentielle Remote Code Execution in Jenkins - Patch verfügbar | Mit der neuesten Version der CI/CD-Plattform Jenkins haben die Entwickler:innen neun Sicherheitslücken behoben - darunter befindet sich auch eine kritische Schwachstelle, CVE-2024-23897. Dabei handelt es sich um ein Problem mit dem integrierten Kommandozeilen-Interface:   Jenkins uses the args4j library to parse command arguments and options on the Jenkins controller when processing CLI commands. This command parser has
cert.atrssforumnews
New GNU/Linux Rootkit LinkPro Discovered in AWS Infrastructure
/u/cyber_Ice71982025-10-17
New GNU/Linux Rootkit LinkPro Discovered in AWS Infrastructure | An investigation into a compromised AWS-hosted infrastructure revealed a new GNU/Linux rootkit called LinkPro. The attackers exploited a vulnerable Jenkins server (CVE-2024-23897) to deploy a malicious Docker image on Kubernetes clusters. The rootkit, written in Golang, features eBPF modules for concealment and remote activation, allowing attackers to gain persistence and execute commands. The sophisticated malware supports multiple communication protocols and uses a 'magic packet' for activation. The threat actors are suspected to be financially motivated. Sources<
reddit.comrssforumnews
LinkPro Rootkit Attacking GNU/Linux Systems Using eBPF Module to Hide Malicious Activities
Tushar Subhra Dutta2025-10-17
LinkPro Rootkit Attacking GNU/Linux Systems Using eBPF Module to Hide Malicious Activities | A sophisticated rootkit targeting GNU/Linux systems has emerged, leveraging advanced eBPF (extended Berkeley Packet Filter) technology to conceal malicious activities and evade traditional monitoring tools. The threat, known as LinkPro, was discovered during a digital forensic investigation of a compromised AWS-hosted infrastructure, where it functioned as a stealthy backdoor with capabilities ranging from process hiding [&#8230;] The post LinkPro Rootkit Attacking GNU/Linux Systems Using eBPF Module to Hide Malicious Activities<
cybersecuritynews.comrssforumnews
LinkPro: An eBPF-Based Rootkit Hiding Malicious Activity on GNU/Linux
Mayura Kathir2025-10-17
LinkPro: An eBPF-Based Rootkit Hiding Malicious Activity on GNU/Linux | Security researchers from Synacktiv CSIRT have uncovered a sophisticated Linux rootkit dubbed LinkPro that leverages eBPF (extended Berkeley Packet Filter) technology to establish persistent backdoor access while remaining virtually invisible to traditional monitoring tools. The infection chain originated from a vulnerable Jenkins server exposed to the internet, exploited through CVE-2024-23897. Threat actors leveraged this initial [&#8230;] The post LinkPro: An eBPF-Based Rootkit Hiding Malicious Activity on GNU/Linux appeared
gbhackers.comrssforumnews
GreyNoise Detects Active Exploitation of CVEs Mentioned in Black Basta’s Leaked Chat Logs - GreyNoise
2025-02-26
GreyNoise Detects Active Exploitation of CVEs Mentioned in Black Basta’s Leaked Chat Logs - GreyNoise | News Content: Key Takeaways GreyNoise has detected active exploitation of 23 of the 62 CVEs mentioned in Black Basta’s leaked chat logs, including vulnerabilities affecting enterprise software, security appliances, and widely used web applications. CVE-2023-6875 is being exploited despite not being listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, reinforcing the need for real-time intelligence beyond static lists. Some of these CVEs have been actively exploited in just the past 24 hours, including critical flaws in Palo Alto PAN-OS, JetBrains TeamCity, Microsoft
rssgoogle.comforumnews
Show All News
avatar
Lyrie.ai@lyrie_ai
2026-04-29
Jenkins CLI v&lt; 2.442. CVE-2024-23897 is a critical arbitrary file read vulnerability in Jenkins CLI's argument parsing. CVE-2024-23897: Jenkins CLI Arbitrary File Read via args4j @ Expansion
avatar
Loginsoft Threat Intel@Loginsoft_Intel
2026-02-11
Cytellite recent detection targeting CVE-2024-23897 — Stiftung Erneuerbare Freiheit Visit -- https://t.co/Np23qyJLly #Loginsoft #Cytellite #Cybersecurity #CVE202423897 #LOVI #ThreatIntelligence #Infosecurity #AI https://t.co/hkVEAvx3Qk
avatar
Loginsoft Threat Intel@Loginsoft_Intel
2026-02-11
Cytellite recent detection targeting CVE-2024-23897 — Stiftung Erneuerbare Freiheit Visit -- https://t.co/Np23qyJLly #Loginsoft #Cytellite #Cybersecurity #CVE202423897 #LOVI #ThreatIntelligence #Infosecurity #AI https://t.co/wmwkMMngoP
avatar
K70n0s510/R00tedbyFa17h HTB/Github handles@Achilles51016
2025-12-26
I just published Exposed Pipelines:📈 Rooting HTB Builder via CVE-2024-23897 https://t.co/6Y8sBbNGRf
avatar
InfoSec Community@InfoSecComm
2025-12-25
🚨 New Writeup Alert! 🚨 "Exposed Pipelines: Rooting HTB Builder via CVE-2024-23897" by Nmullenski is now live on IW! Check it out here: https://t.co/98VXbCc1HH #cybersecurity #penetrationtesting #ethicalhacking #htbwriteup #redteam
avatar
Cybersecurity News Everyday@TweetThreatNews
2025-10-18
A multi-stage AWS compromise exploited CVE-2024-23897 on Jenkins, deploying a malicious Docker image that installed LinkPro, an eBPF Linux rootkit activating via a specific magic packet. #LinuxRootkit #AWSAttack #France https://t.co/k7iPABdVq3
Show All Tweets
Configuration 1
TypeVendorProduct
AppJenkinsjenkins
ReferenceLink
GITHUBhttps://www.vicarius.io/vsociety/posts/the-anatomy-of-a-jenkins-vulnerability-cve-2024-23897-revealed-1
AF854A3A-2127-422B-91AE-364DA2661108http://www.openwall.com/lists/oss-security/2024/01/24/6
AF854A3A-2127-422B-91AE-364DA2661108https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/
AF854A3A-2127-422B-91AE-364DA2661108https://www.vicarius.io/vsociety/posts/the-anatomy-of-a-jenkins-vulnerability-cve-2024-23897-revealed-1
[email protected]http://www.openwall.com/lists/oss-security/2024/01/24/6
[email protected]https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/
AF854A3A-2127-422B-91AE-364DA2661108https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/
AF854A3A-2127-422B-91AE-364DA2661108https://www.vicarius.io/vsociety/posts/the-anatomy-of-a-jenkins-vulnerability-cve-2024-23897-revealed-1
[email protected]http://www.openwall.com/lists/oss-security/2024/01/24/6
[email protected]https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/
[email protected]http://www.openwall.com/lists/oss-security/2024/01/24/6
[email protected]https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314
[email protected]https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314
[email protected]http://packetstormsecurity.com/files/176839/Jenkins-2.441-LTS-2.426.3-CVE-2024-23897-Scanner.html
[email protected]http://packetstormsecurity.com/files/176840/Jenkins-2.441-LTS-2.426.3-Arbitrary-File-Read.html
[email protected]https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314
GITHUBhttp://packetstormsecurity.com/files/176839/Jenkins-2.441-LTS-2.426.3-CVE-2024-23897-Scanner.html
GITHUBhttp://packetstormsecurity.com/files/176840/Jenkins-2.441-LTS-2.426.3-Arbitrary-File-Read.html
[email protected]http://packetstormsecurity.com/files/176839/Jenkins-2.441-LTS-2.426.3-CVE-2024-23897-Scanner.html
[email protected]http://packetstormsecurity.com/files/176840/Jenkins-2.441-LTS-2.426.3-Arbitrary-File-Read.html
[email protected]http://www.openwall.com/lists/oss-security/2024/01/24/6
[email protected]https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314
[email protected]http://packetstormsecurity.com/files/176839/Jenkins-2.441-LTS-2.426.3-CVE-2024-23897-Scanner.html
[email protected]http://packetstormsecurity.com/files/176840/Jenkins-2.441-LTS-2.426.3-Arbitrary-File-Read.html
[email protected]http://www.openwall.com/lists/oss-security/2024/01/24/6
[email protected]https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314
[email protected]https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/
AF854A3A-2127-422B-91AE-364DA2661108http://packetstormsecurity.com/files/176839/Jenkins-2.441-LTS-2.426.3-CVE-2024-23897-Scanner.html
AF854A3A-2127-422B-91AE-364DA2661108http://packetstormsecurity.com/files/176840/Jenkins-2.441-LTS-2.426.3-Arbitrary-File-Read.html
AF854A3A-2127-422B-91AE-364DA2661108http://www.openwall.com/lists/oss-security/2024/01/24/6
AF854A3A-2127-422B-91AE-364DA2661108https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314
AF854A3A-2127-422B-91AE-364DA2661108https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/
AF854A3A-2127-422B-91AE-364DA2661108https://www.vicarius.io/vsociety/posts/the-anatomy-of-a-jenkins-vulnerability-cve-2024-23897-revealed-1
[email protected]http://packetstormsecurity.com/files/176839/Jenkins-2.441-LTS-2.426.3-CVE-2024-23897-Scanner.html
[email protected]http://packetstormsecurity.com/files/176840/Jenkins-2.441-LTS-2.426.3-Arbitrary-File-Read.html
[email protected]http://www.openwall.com/lists/oss-security/2024/01/24/6
[email protected]https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314
[email protected]https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/
GITHUBhttp://packetstormsecurity.com/files/176839/Jenkins-2.441-LTS-2.426.3-CVE-2024-23897-Scanner.html
GITHUBhttp://packetstormsecurity.com/files/176840/Jenkins-2.441-LTS-2.426.3-Arbitrary-File-Read.html
GITHUBhttps://www.vicarius.io/vsociety/posts/the-anatomy-of-a-jenkins-vulnerability-cve-2024-23897-revealed-1
JENKINS SECURITY ADVISORY 2024-01-24https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314
CWE IDCWE NameDescription
CWE-27Path Traversal: 'dir/../../filename'The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize multiple internal ../ sequences that can resolve to a location that is outside of that directory.
CWE-22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

CVE Radar

Real-time CVE Intelligence & Vulnerability Management Platform

CVE Radar provides comprehensive vulnerability intelligence by monitoring CVE databases, security advisories, and threat feeds. Get instant updates on new vulnerabilities, exploit details, and mitigation strategies specific to your assets.

Get Free Vulnerability Intelligence Access