CVE-2024-23897

What is Jenkins?

Jenkins is the world's most widely deployed open-source CI/CD automation server, used by millions of development teams to build, test, and deploy software. Jenkins masters store extremely sensitive data: VCS credentials, cloud provider credentials, deployment keys, code signing certificates, and LDAP/Active Directory integration credentials. Jenkins build agents execute arbitrary code as part of the build process, making Jenkins a powerful and high-value lateral movement pivot. Like TeamCity, Jenkins is a prime supply-chain attack target. Jenkins also exposes a CLI (Command Line Interface) over HTTP/HTTPS for remote administration, which is the component affected by this vulnerability.

Overview

CVE-2024-23897 is a path traversal vulnerability (CWE-22) in Jenkins' CLI that allows an attacker with limited read access to read arbitrary files from the Jenkins controller filesystem — including Jenkins' secret key used for signing and encrypting credentials. SonarSource discovered the vulnerability in the args4j library's "excessive expansion" behavior: when Jenkins CLI processes command arguments, an argument beginning with @ causes the argument to be replaced with the contents of the referenced file. An unauthenticated user who can reach the CLI can use this to read system files. In most Jenkins configurations, the credential store (containing all saved passwords and keys) can be decrypted using the master secret read via this path traversal, achieving effective full credential compromise. CISA added it to the KEV catalog in August 2024, 7 months after the January 2024 fix.

Affected Versions

Technical Details

The path traversal (CWE-22) exploits the args4j library feature where command arguments starting with @ are interpreted as file paths — their content is read and substituted into the argument list. Jenkins CLI uses args4j for argument parsing and this feature is enabled by default.

Read path for unauthenticated attacker: Jenkins CLI's help command (and some others) does not require authentication. When a CLI argument is processed, the @/path/to/file form causes the file's contents to be read and used as additional arguments or command input. Error messages and partial command output may reflect file content.

Critical files readable:

• /var/lib/jenkins/secret.key — the Jenkins master secret key
• /var/lib/jenkins/secrets/master.key — the master encryption key
• /var/lib/jenkins/credentials.xml — encrypted stored credentials (decryptable with the above keys)
• /var/lib/jenkins/config.xml — full Jenkins configuration including security settings
• OS files: /etc/passwd, SSH private keys, etc.

From file read to full credential compromise: With the master key and credentials.xml, an attacker can decrypt all credentials stored in Jenkins using standard Jenkins decryption utilities — obtaining plaintext passwords, SSH keys, API tokens, and cloud credentials for every connected system.

RCE path: With decrypted admin credentials, an attacker can authenticate to the Jenkins web UI, create a malicious build job, and execute arbitrary commands on build agents.

Discovery

SonarSource (Yaniv Nizry and team) discovered CVE-2024-23897 as part of their research into "Excessive Expansion" vulnerabilities in argument parsing libraries. Published coordinated with the Jenkins security advisory.

Exploitation Context

CISA added CVE-2024-23897 to the KEV catalog on August 19, 2024, seven months after the January 2024 patch. The delay reflects the typical lag in enterprise CI/CD server patching — Jenkins instances are often treated as internal infrastructure and deprioritized for patching. The ransomwareUse: true flag indicates ransomware operators exploited unpatched Jenkins instances as initial access vectors. The combination of Jenkins' wide deployment, extreme credential value, and the 7-month exposure window made CVE-2024-23897 highly impactful.

Remediation

1. Upgrade Jenkins to 2.442 (weekly) or 2.426.3 (LTS) immediately. The CISA deadline was September 9, 2024.
2. Rotate all credentials stored in Jenkins — even if exploitation is not confirmed, assume the master key may have been read and all credentials decrypted.
3. Rotate the Jenkins master key by regenerating Jenkins secrets ($JENKINS_HOME/secrets/).
4. Restrict CLI access — the Jenkins CLI endpoint should only be accessible from authorized administrator IP ranges; consider disabling CLI entirely if not actively used (Manage Jenkins → Security → Disable CLI).
5. Audit Jenkins job configurations and build logs for unauthorized changes to existing jobs or creation of new jobs.
6. Review credentials plugin audit log for unexpected credential accesses.