title: Jenkins Arbitrary File Read via CLI Argument Parser (Pre-Auth RCE Chain) (CVE-2024-23897)
id: df00tech-cve-2024-23897
status: experimental
description: "CVE-2024-23897 is a critical (CVSS 9.8) arbitrary file read vulnerability in Jenkins CI/CD platform. The Jenkins CLI command parser uses the args4j library's '@' character expansion feature, which substitutes '@filepath' with the file's contents in command arguments. This is not disabled, allowing unauthenticated attackers (or those with minimal permissions) to read arbitrary files from the Jenkins controller filesystem via CLI commands. Files readable include sensitive configuration files (/var/jenkins_home/secrets/master.key, /etc/passwd, credential stores) and can be chained to achieve unauthenticated RCE by extracting cryptographic secrets needed to deserialise malicious data. Affects Jenkins 2.441 and earlier (LTS 2.426.2 and earlier). CISA added to KEV with due date September 9, 2024. Jenkins servers are commonly internet-exposed by development teams in SMB environments."
references:
  - https://attack.mitre.org/techniques/CVE-2024-23897/
  - https://df00tech.com/detections/CVE-2024-23897
author: df00tech
date: 2026/04/22
tags:
  - attack.cve-2024-23897
  - cve.2024-23897
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate Jenkins CLI usage by developers with @ references to local config files"
  - Jenkins agent connections on port 50000 from authorized build agents
  - Security scanners performing authorized vulnerability assessments on Jenkins instances
level: critical