Detect Jenkins Arbitrary File Read via CLI Argument Parser (Pre-Auth RCE Chain) in Microsoft Sentinel
CVE-2024-23897 is a critical (CVSS 9.8) arbitrary file read vulnerability in Jenkins CI/CD platform. The Jenkins CLI command parser uses the args4j library's '@' character expansion feature, which substitutes '@filepath' with the file's contents in command arguments. This is not disabled, allowing unauthenticated attackers (or those with minimal permissions) to read arbitrary files from the Jenkins controller filesystem via CLI commands. Files readable include sensitive configuration files (/var/jenkins_home/secrets/master.key, /etc/passwd, credential stores) and can be chained to achieve unauthenticated RCE by extracting cryptographic secrets needed to deserialise malicious data. Affects Jenkins 2.441 and earlier (LTS 2.426.2 and earlier). CISA added to KEV with due date September 9, 2024. Jenkins servers are commonly internet-exposed by development teams in SMB environments.
MITRE ATT&CK
KQL Detection Query
// CVE-2024-23897 — Jenkins Arbitrary File Read via CLI
// Detect: Jenkins CLI access with @ argument patterns, sensitive file access,
// and post-exploitation indicators
let JenkinsCLIFileRead =
W3CIISLog
| where TimeGenerated > ago(24h)
| where csUriStem has "/cli"
| where csMethod == "POST"
| where (
csUriQuery has "@"
or csReferer has_any ("master.key", "passwd", "shadow", "credentials", "secrets")
)
| extend ThreatIndicator = "CVE-2024-23897-Jenkins-CLI-FileRead";
let JenkinsSuspiciousHTTP =
CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DeviceProduct has_any ("Jenkins", "CI/CD")
or DestinationPort in (8080, 8443, 50000)
| where RequestURL has_any (
"/cli", "@/etc/passwd", "@/var/jenkins", "@/proc/",
"master.key", "hudson.util.Secret", "credentials.xml"
)
| extend ThreatIndicator = "CVE-2024-23897-Jenkins-Sensitive-File";
let JenkinsPortScan =
AzureNetworkAnalytics_CL
| where TimeGenerated > ago(24h)
| where DestPort_d in (8080, 8443, 50000)
| summarize ConnectionCount=count(), SourceIPs=make_set(SrcIP_s)
by DestIP_s, bin(TimeGenerated, 1h)
| where ConnectionCount > 50
| extend ThreatIndicator = "CVE-2024-23897-Jenkins-HighVolume-Scan";
JenkinsCLIFileRead
| union JenkinsSuspiciousHTTP
| union JenkinsPortScan
| sort by TimeGenerated descDetects CVE-2024-23897 exploitation indicators: (1) HTTP POST requests to the Jenkins /cli endpoint with @ argument patterns indicating file path injection, (2) CommonSecurityLog entries showing access to sensitive Jenkins file paths (master.key, credentials.xml), and (3) high-volume scanning of Jenkins ports from external IPs indicating reconnaissance for exploitation.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate Jenkins CLI usage by developers with @ references to local config files
- Jenkins agent connections on port 50000 from authorized build agents
- Security scanners performing authorized vulnerability assessments on Jenkins instances
Other platforms for CVE-2024-23897
Testing Methodology
Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2024-23897 file read via Jenkins CLI jar
Expected signal: Jenkins access log: POST /cli from attacker IP with @/etc/passwd in request body.
Unlock Pro Content
Get the full detection package for CVE-2024-23897 including response playbook, investigation guide, and atomic red team tests.