Active Exploitation of Multiple Vulnerabilities in Jenkins Products

Published on 30 Jan 2024 | Updated on 30 Jan 2024

Jenkins has released security updates addressing multiple vulnerabilities, including a critical (CVE-2024-23897) vulnerability and a high-severity (CVE-2024-23898) vulnerability in their products. The vulnerabilities are reportedly being actively exploited.

The vulnerabilities are: 

  • CVE-2024-23897: An arbitrary file read vulnerability that allows an unauthenticated attacker with 'overall/read' permission to read data from arbitrary files on the Jenkins server.
  • CVE-2024-23898: A cross-site WebSocket hijacking (CSWSH) vulnerability that allows an attacker to execute arbitrary CLI commands by tricking a user into clicking a malicious link.

The products affected by the vulnerabilities include:

  • Jenkins 2.441 and earlier
  • Jenkins LTS 2.426.2 and earlier

Users and administrators of the affected Jenkins products are advised to upgrade to the latest versions immediately.

More information is available at: