Detect CVE-2024-23897: Jenkins Arbitrary File Read via CLI Argument Parser (Pre-Auth RCE Chain) in Google Chronicle
CVE-2024-23897 is a critical path traversal vulnerability (CWE-22) in Jenkins' built-in CLI argument parser (args4j). The parser expands file contents prefixed with '@' as command arguments, allowing unauthenticated attackers to read arbitrary files from the Jenkins controller filesystem — including secrets, credentials, and SSH keys. When combined with additional weaknesses (e.g., exposed Remember Me tokens or cryptographic keys), this chain enables unauthenticated remote code execution. CVSS 9.8. Actively exploited (CISA KEV). Affects Jenkins <= 2.441 and LTS <= 2.426.2.
MITRE ATT&CK
YARA-L Detection Query
rule cve_2024_23897_jenkins_file_read {
meta:
author = "df00tech Detection Engineering"
description = "Detects CVE-2024-23897 Jenkins CLI arbitrary file read exploitation attempts"
severity = "CRITICAL"
priority = "HIGH"
reference = "https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314"
cve = "CVE-2024-23897"
mitre_attack_tactic = "Initial Access, Credential Access"
mitre_attack_technique = "T1190, T1083, T1552"
events:
$http.metadata.event_type = "NETWORK_HTTP"
$http.network.http.method = /POST|GET/
(
$http.network.http.request_uri = /\/cli/ or
$http.network.http.request_uri = /\/remoting\/legacy/
)
(
$http.network.http.request_uri = /@\.\.\// or
$http.network.http.request_uri = /@\/etc\// or
$http.network.http.request_uri = /@\/root/ or
$http.network.http.request_uri = /@.*secret/ or
$http.network.http.request_uri = /@.*passwd/ or
$http.network.http.request_uri = /@.*credential/ or
$http.network.http.request_uri = /@.*id_rsa/
)
match:
$http.principal.ip over 5m
outcome:
$risk_score = max(
if($http.network.http.response_code = 200, 95,
if($http.network.http.response_code = 500, 70, 60))
)
$attacker_ip = array_distinct($http.principal.ip)
$target_uri = array_distinct($http.network.http.request_uri)
condition:
$http
}Chronicle YARA-L 2.0 rule detecting CVE-2024-23897 Jenkins CLI file read exploitation. Matches HTTP events targeting Jenkins CLI or remoting endpoints with '@'-prefixed path traversal or sensitive file references. Aggregates over 5-minute windows per source IP and computes risk score based on HTTP response code.
Data Sources
Required Tables
False Positives & Tuning
- Automated DevOps scripts using Jenkins CLI with file arguments for configuration management
- Google Cloud security scanner findings forwarded into Chronicle from authorized scanning projects
- Internal Jenkins API consumers that use '@' file references for OAuth token injection
- Security tooling performing authorized compliance checks against Jenkins endpoints
Other platforms for CVE-2024-23897
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Unauthenticated Jenkins CLI File Read via args4j @ Expansion
Expected signal: POST request to /cli with '@/etc/passwd' in body; HTTP 200 response with non-empty body containing passwd file contents; OS-level file open event for /etc/passwd initiated by jenkins process
- Test 2Jenkins master.key Extraction for Credential Decryption
Expected signal: Three sequential POST requests to /cli targeting secrets/master.key, secrets/hudson.util.Secret, and credentials.xml; file access events (auditd/Sysmon) for all three files initiated by the Jenkins JVM process; HTTP 200 responses with non-trivial body sizes
- Test 3Jenkins CLI Path Traversal via Remoting Legacy Endpoint
Expected signal: POST requests to /remoting/legacy and /cli with '@' file arguments; path traversal sequences in URI or body; file access events for .ssh/id_rsa; HTTP responses with key material in body
Unlock Pro Content
Get the full detection package for CVE-2024-23897 including response playbook, investigation guide, and atomic red team tests.