Detect Jenkins Arbitrary File Read via CLI Argument Parser (Pre-Auth RCE Chain) in Splunk
CVE-2024-23897 is a critical (CVSS 9.8) arbitrary file read vulnerability in Jenkins CI/CD platform. The Jenkins CLI command parser uses the args4j library's '@' character expansion feature, which substitutes '@filepath' with the file's contents in command arguments. This is not disabled, allowing unauthenticated attackers (or those with minimal permissions) to read arbitrary files from the Jenkins controller filesystem via CLI commands. Files readable include sensitive configuration files (/var/jenkins_home/secrets/master.key, /etc/passwd, credential stores) and can be chained to achieve unauthenticated RCE by extracting cryptographic secrets needed to deserialise malicious data. Affects Jenkins 2.441 and earlier (LTS 2.426.2 and earlier). CISA added to KEV with due date September 9, 2024. Jenkins servers are commonly internet-exposed by development teams in SMB environments.
MITRE ATT&CK
SPL Detection Query
index=web sourcetype IN ("access_combined", "nginx:plus:kv", "iis", "apache:access",
"nginx:access", "tomcat:access")
(
(
uri_path="*/cli*"
AND http_method="POST"
AND (
match(_raw, "(?i)(@/etc/|@/var/jenkins|@/proc/|@/root|master\.key|hudson\.util\.Secret|credentials\.xml)")
OR match(form_data, "(?i)(@/etc/|@/var/jenkins|master\.key|secrets/)")
)
)
OR
(
uri_path IN (
"*/jnlpJars/jenkins-cli.jar*",
"*/cli*"
)
AND status IN (200, 403, 500)
AND match(_raw, "(?i)(secret|key|credential|password|master)")
)
)
| eval CVE="CVE-2024-23897"
| eval ThreatType="Jenkins-CLI-ArbitraryFileRead"
| eval SensitiveFile=case(
match(_raw, "master\.key"), "master.key (Jenkins encryption key)",
match(_raw, "hudson\.util\.Secret"), "hudson.util.Secret (credential encryption)",
match(_raw, "credentials\.xml"), "credentials.xml (stored credentials)",
match(_raw, "/etc/passwd"), "/etc/passwd (system users)",
match(_raw, "secrets/"), "Jenkins secrets directory",
true(), "Unknown sensitive file"
)
| stats count AS ExploitAttempts,
values(src_ip) AS SourceIPs,
values(uri_path) AS RequestPaths,
values(SensitiveFile) AS TargetFiles
BY host, CVE, ThreatType, _time span=1h
| where ExploitAttempts >= 1
| table _time, host, SourceIPs, RequestPaths, TargetFiles, ExploitAttempts, CVE, ThreatType
| sort - ExploitAttemptsDetects CVE-2024-23897 exploitation in Jenkins web access logs by identifying POST requests to the /cli endpoint containing @ file path injection patterns targeting sensitive Jenkins files (master.key, credentials.xml, hudson.util.Secret). Reading master.key is the first step in the RCE exploit chain via deserialization.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Jenkins automation scripts using @ file references to local files for CLI operations
- Authorised penetration testing of Jenkins instances
Other platforms for CVE-2024-23897
Testing Methodology
Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2024-23897 file read via Jenkins CLI jar
Expected signal: Jenkins access log: POST /cli from attacker IP with @/etc/passwd in request body.
Unlock Pro Content
Get the full detection package for CVE-2024-23897 including response playbook, investigation guide, and atomic red team tests.