Jenkins with no login — CVE-2024-23897
TL;DR
What: A flaw in the Jenkins CLI lets an attacker read files on the Jenkins server using a special “@file” trick in command arguments. In many setups, this works without logging in (unauthenticated), though it may initially reveal only the first few lines of a file; with minimal read rights it can reveal full files.
Why it matters: Reading sensitive files (tokens, keys) can cascade into RCE under certain conditions.
Affected: Jenkins 2.441 and earlier (weekly) and LTS 2.426.2 and earlier. Fixed in 2.442, LTS 2.426.3, and LTS 2.440.1.
Fix now: Upgrade to a fixed version. As a short-term workaround, disable the CLI.
A simple story: “The helper who read the wrong note”
Imagine your Jenkins is a busy office. There’s a helpful clerk at the door called CLI. You can hand this clerk a note (a command), and they’ll read it to Jenkins.
One day, a stranger passes a note that says: “Read what’s in @/etc/passwd.” The clerk has a habit: when a note includes @path, they quietly open that file and put its contents into the note before handing it to Jenkins. The clerk doesn’t even check who handed the note!
Result: the stranger learns what’s inside a file on your server—possibly secrets. That’s CVE-2024-23897 in spirit: a convenience feature in the CLI that replaces @filename with the file’s contents, which attackers can abuse remotely
What exactly is CVE-2024-23897?
Root cause: Jenkins’s CLI uses a command parser (from args4j) with a feature called expandAtFiles. If an argument contains
@/path/to/file, the parser replaces it with the contents of that file. In vulnerable versions, this feature wasn’t disabled.Impact:
No login: Attackers without Overall/Read permission can often read the first few lines of arbitrary files (how many lines depends on available CLI commands).
Low read rights: Attackers with Overall/Read permission can read entire files.
Chaining: Reading certain binary secrets/keys can enable RCE through follow-on tricks the Jenkins team documented.
Affected & fixed versions: Affected up to 2.441 (weekly) and LTS 2.426.2. Fixed in 2.442, LTS 2.426.3, and LTS 2.440.1—these builds disable the @file behavior in CLI.
Why “no login” matters
Because the CLI endpoint can be reachable on many Jenkins installs, an outsider may trigger the @file expansion without authentication, at least to leak the first lines of files. Those lines can still be dangerous (think config headers or keys). With minimal read permission, the floodgates open to entire files.
A safe, local-lab demo (so you understand the shape of the bug)
Practice only in your own isolated lab. Do not touch systems you don’t own. See disclaimer below.
Get the CLI jar from your lab Jenkins (typical path):
curl -fsS http://localhost:8080/jnlpJars/jenkins-cli.jar -o jenkins-cli.jarRun a harmless command, but pass an argument that references a local file via ‘@’
java -jar jenkins-cli.jar -s http://localhost:8080 help "@/etc/passwd"
If vulnerable, the parser tries to inline the file content where @/etc/passwd appears, and portions may leak in the output—even without logging in. (Exact behavior varies with version/commands; newer fixed versions block this.)
How this can escalate
The Jenkins team showed that reading certain binary secrets can enable paths to RCE (e.g., via Resource Root URLs or forging “Remember me” cookies), depending on settings and what secrets you can steal. That’s why they treat this as critical and not “just file read.”
How to fix (priority order)
Upgrade Jenkins immediately
Weekly: 2.442 or newer
LTS: 2.426.3 or 2.440.1 (or newer)
These versions disable the @file expansion in CLI.
Short-term workaround (if you can’t upgrade yet): Disable the CLI
Jenkins provides a documented method to disable CLI access; doing so prevents exploitation. (This doesn’t require a restart.) Treat this only as a temporary measure.Harden access
Ensure anonymous users have no permissions.
Limit network exposure of /cli (and the CLI WebSocket) behind a reverse proxy/VPN.
While you’re patching 23897, also make sure you’re covered for the related WebSocket/CLI origin validation issue (CVE-2024-23898) by upgrading to the same fixed versions.
Disclaimer
This article is for educational and defensive purposes only. Test only in environments you own or have explicit written permission to assess. Unauthorized access to computer systems is illegal. Always patch promptly, follow your organization’s change-management process, and coordinate with your security team.
Sources
Jenkins Security Advisory (Jan 24, 2024): root cause, affected/fixed versions, unauthenticated partial file read, escalation scenarios, and workarounds.
NVD CVE page: concise description of the @file argument expansion leading to arbitrary file read.
Rapid7 / Qualys / others: impact write-ups, scanning and detection context.
