CVE-2024-23897: Jenkins Arbitrary File Read via CLI Argument Parser (Pre-Auth RCE Chain)
CVE-2024-23897 is a critical path traversal vulnerability (CWE-22) in Jenkins' built-in CLI argument parser (args4j). The parser expands file contents prefixed with '@' as command arguments, allowing unauthenticated attackers to read arbitrary files from the Jenkins controller filesystem — including secrets, credentials, and SSH keys. When combined with additional weaknesses (e.g., exposed Remember Me tokens or cryptographic keys), this chain enables unauthenticated remote code execution. CVSS 9.8. Actively exploited (CISA KEV). Affects Jenkins <= 2.441 and LTS <= 2.426.2.
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- Jenkins
- Product
- Jenkins
- Versions
- <= 2.441, LTS <= 2.426.2
Weakness (CWE)
Timeline
- Disclosed
- January 24, 2024
- Patched
- January 24, 2024
CVSS
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
What is CVE-2024-23897 CVE-2024-23897: Jenkins Arbitrary File Read via CLI Argument Parser (Pre-Auth RCE Chain)?
CVE-2024-23897: Jenkins Arbitrary File Read via CLI Argument Parser (Pre-Auth RCE Chain) (CVE-2024-23897) maps to the Initial Access and Credential Access and Execution tactics — the adversary is trying to get into your network in MITRE ATT&CK.
This page provides production-ready detection logic for CVE-2024-23897: Jenkins Arbitrary File Read via CLI Argument Parser (Pre-Auth RCE Chain), covering the data sources and telemetry it touches: CommonSecurityLog, AzureDiagnostics, W3CIISLog, SecurityAlert. The queries below are rated critical severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
union isfuzzy=true
(
CommonSecurityLog
| where DeviceProduct has_any ("Jenkins", "jenkins")
| where RequestURL has "/cli" or RequestURL has "remoting"
| where RequestMethod == "POST"
| where RequestURL matches regex @"cli.*@\.\./|cli.*@/etc/|cli.*@/var/jenkins"
| project TimeGenerated, DeviceVendor, DeviceProduct, SourceIP, DestinationIP, RequestURL, RequestMethod, Activity, AdditionalExtensions
),
(
AzureDiagnostics
| where Category == "ApplicationGatewayAccessLog" or Category == "FrontdoorAccessLog"
| where requestUri_s has "/cli" or requestUri_s has "remoting"
| where httpMethod_s == "POST"
| where requestUri_s matches regex @"@[./]"
| project TimeGenerated, Resource, clientIP_s, requestUri_s, httpMethod_s, httpStatus_d, userAgent_s
),
(
W3CIISLog
| where csUriStem has "/cli"
| where csMethod == "POST"
| where csUriQuery has "@" and (csUriQuery has ".." or csUriQuery has "/etc/" or csUriQuery has "passwd" or csUriQuery has "secret")
| project TimeGenerated, sSiteName, sIP, cIP, csMethod, csUriStem, csUriQuery, scStatus, csUserAgent
),
(
SecurityAlert
| where ProductName has_any ("Jenkins", "Defender for DevOps")
| where AlertName has_any ("file read", "path traversal", "CLI", "CVE-2024-23897")
| project TimeGenerated, AlertName, AlertSeverity, Description, Entities, RemediationSteps
)
| extend CVE = "CVE-2024-23897"
| sort by TimeGenerated descDetects exploitation attempts of CVE-2024-23897 by identifying POST requests to Jenkins CLI endpoints containing '@' file expansion patterns, path traversal sequences, or references to sensitive files. Correlates across network logs, WAF/gateway logs, and IIS access logs. Also surfaces Defender for DevOps alerts referencing the CVE.
Data Sources
Required Tables
False Positives
- Legitimate Jenkins CLI automation scripts that include '@'-prefixed file arguments for intended configuration tasks
- Security scanners or vulnerability assessment tools running authenticated scans against Jenkins endpoints
- CI/CD pipeline health checks or monitoring agents that POST to Jenkins CLI endpoints
- Penetration testing or red team exercises with authorized scope against Jenkins infrastructure
Sigma rule & cross-platform mapping
The detection logic for CVE-2024-23897: Jenkins Arbitrary File Read via CLI Argument Parser (Pre-Auth RCE Chain) (CVE-2024-23897) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
product: azureBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2024-23897
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Unauthenticated Jenkins CLI File Read via args4j @ Expansion
Expected signal: POST request to /cli with '@/etc/passwd' in body; HTTP 200 response with non-empty body containing passwd file contents; OS-level file open event for /etc/passwd initiated by jenkins process
- Test 2Jenkins master.key Extraction for Credential Decryption
Expected signal: Three sequential POST requests to /cli targeting secrets/master.key, secrets/hudson.util.Secret, and credentials.xml; file access events (auditd/Sysmon) for all three files initiated by the Jenkins JVM process; HTTP 200 responses with non-trivial body sizes
- Test 3Jenkins CLI Path Traversal via Remoting Legacy Endpoint
Expected signal: POST requests to /remoting/legacy and /cli with '@' file arguments; path traversal sequences in URI or body; file access events for .ssh/id_rsa; HTTP responses with key material in body
Unlock Pro Content
Get the full detection package for CVE-2024-23897 including response playbook, investigation guide, and atomic red team tests.