Jenkins Arbitrary File Read (CVE-2024-23897)
Overview
Jenkins Arbitrary File Read, tracked as CVE-2024-23897, affects Jenkins controllers where the built-in CLI parser can be abused to read files from the controller filesystem. Jenkins often stores build secrets, credentials, tokens, and CI/CD configuration, so file disclosure can become a serious supply-chain security risk.
Vulnerability Overview
CVE-2024-23897 exists because Jenkins did not disable a CLI command parser feature that expands an argument beginning with @ followed by a file path into that file's contents. This behavior can allow unauthenticated attackers to read arbitrary files from the Jenkins controller filesystem.
The issue affects the Jenkins controller, not only a build agent. In CI/CD environments, controller-side files can include sensitive configuration, plugin data, credentials material, or data useful for further compromise.
Impact
The vulnerability is rated Critical with a CVSS 3.1 score of 9.8. Successful exploitation can disclose sensitive local files from the Jenkins controller and may enable further compromise depending on what the attacker can read.
CVE-2024-23897 is listed in the CISA Known Exploited Vulnerabilities catalog, which indicates known exploitation in real-world environments.
Vulnerability Scope
The affected versions are Jenkins 2.441 and earlier, and Jenkins LTS 2.426.2 and earlier. Fixed versions include Jenkins 2.442 and Jenkins LTS 2.426.3.
The highest-risk systems are internet-facing Jenkins controllers or internal Jenkins instances reachable by untrusted users, especially where CLI access is enabled and sensitive controller files are present.
Lab Focus
This Hackviser lab focuses on understanding how parser conveniences in administrative tooling can become arbitrary file read vulnerabilities. You will practice identifying affected Jenkins versions, recognizing the controller-side impact, and connecting file disclosure to CI/CD hardening priorities.