--- licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0) licence_link: https://creativecommons.org/licenses/by/4.0/ licence_restrictions: https://cert.europa.eu/legal-notice licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies title: 'Critical Remote Code Execution Vulnerability in Jenkins' number: '2024-014' version: '1.1' original_date: 'January 24, 2024' date: 'January 30, 2024' --- _History:_ * _29/01/2024 --- v1.0 -- Initial publication_ * _30/01/2024 --- v1.1 -- Fix versions in affected products_ # Summary On January 24, 2024, Jenkins issued fixes for several vulnerabilities, including **CVE-2024-23897**, a critical vulnerability that could allow an attacker to achieve remote code execution. The advisory published provides detailed information on various attack scenarios, exploitation pathways, descriptions of the fixes, and potential workarounds for those unable to immediately apply the security updates. Multiple proof-of-concept (PoC) exploits for **CVE-2024-23897** are now available [2]. # Technical Details The vulnerability **CVE-2024-23897**, with a CVSS score of 9.8, could allow an unauthenticated attacker with `overall/read` permission to read data from arbitrary files on the Jenkins server [2]. The vulnerability **CVE-2024-23898**, with a CVSS score of 8,8, is a cross-site WebSocket hijacking issue where attackers could execute arbitrary CLI commands by tricking a user into clicking a malicious link [2]. The exploitation of these vulnerabilities could lead to admin privilege escalation and arbitrary remote code execution under certain conditions [1]. # Affected Products - Jenkins weekly up to and including 2.441 - Jenkins LTS up to and including 2.426.2 # Recommendations CERT-EU recommends immediate update of affected Jenkins versions to the latest patched versions. # References [1] [2]