CVE-2024-23897

Jenkins Arbitrary File Read via CLI Argument Parser (Pre-Auth RCE Chain)

Initial Access Credential Access Execution

CVE-2024-23897 is a critical (CVSS 9.8) arbitrary file read vulnerability in Jenkins CI/CD platform. The Jenkins CLI command parser uses the args4j library's '@' character expansion feature, which substitutes '@filepath' with the file's contents in command arguments. This is not disabled, allowing unauthenticated attackers (or those with minimal permissions) to read arbitrary files from the Jenkins controller filesystem via CLI commands. Files readable include sensitive configuration files (/var/jenkins_home/secrets/master.key, /etc/passwd, credential stores) and can be chained to achieve unauthenticated RCE by extracting cryptographic secrets needed to deserialise malicious data. Affects Jenkins 2.441 and earlier (LTS 2.426.2 and earlier). CISA added to KEV with due date September 9, 2024. Jenkins servers are commonly internet-exposed by development teams in SMB environments.

Microsoft Sentinel / Defender
kusto 
// CVE-2024-23897 — Jenkins Arbitrary File Read via CLI
// Detect: Jenkins CLI access with @ argument patterns, sensitive file access,
//         and post-exploitation indicators
let JenkinsCLIFileRead =
W3CIISLog
| where TimeGenerated > ago(24h)
| where csUriStem has "/cli"
| where csMethod == "POST"
| where (
    csUriQuery has "@" 
    or csReferer has_any ("master.key", "passwd", "shadow", "credentials", "secrets")
  )
| extend ThreatIndicator = "CVE-2024-23897-Jenkins-CLI-FileRead";
let JenkinsSuspiciousHTTP =
CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DeviceProduct has_any ("Jenkins", "CI/CD")
    or DestinationPort in (8080, 8443, 50000)
| where RequestURL has_any (
    "/cli", "@/etc/passwd", "@/var/jenkins", "@/proc/",
    "master.key", "hudson.util.Secret", "credentials.xml"
  )
| extend ThreatIndicator = "CVE-2024-23897-Jenkins-Sensitive-File";
let JenkinsPortScan =
AzureNetworkAnalytics_CL
| where TimeGenerated > ago(24h)
| where DestPort_d in (8080, 8443, 50000)
| summarize ConnectionCount=count(), SourceIPs=make_set(SrcIP_s)
  by DestIP_s, bin(TimeGenerated, 1h)
| where ConnectionCount > 50
| extend ThreatIndicator = "CVE-2024-23897-Jenkins-HighVolume-Scan";
JenkinsCLIFileRead
| union JenkinsSuspiciousHTTP
| union JenkinsPortScan
| sort by TimeGenerated desc
critical severity medium confidence

Data Sources

W3CIISLog (Jenkins reverse proxy access logs, if using IIS/nginx/Apache frontend) CommonSecurityLog (Jenkins syslog integration) Azure Network Analytics (network flow data)

Required Tables

W3CIISLog CommonSecurityLog AzureNetworkAnalytics_CL

False Positives

  • Legitimate Jenkins CLI usage by developers with @ references to local config files
  • Jenkins agent connections on port 50000 from authorized build agents
  • Security scanners performing authorized vulnerability assessments on Jenkins instances
Last updated: 2026-04-22 Research depth: standard
References (5)

Unlock Pro Content

Get the full detection package for CVE-2024-23897 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1190Exploit Public-Facing Application

Same Tactic: Initial Access

Popular Detections