{
  "threat_severity" : "Critical",
  "public_date" : "2024-01-09T00:00:00Z",
  "bugzilla" : {
    "description" : "jenkins: Arbitrary file read vulnerability through the CLI can lead to RCE",
    "id" : "2260180",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2260180"
  },
  "cvss3" : {
    "cvss3_base_score" : "9.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-88",
  "details" : [ "Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.", "A flaw was found in Jenkins, which uses the args4j library to parse command arguments and options on the Jenkins controller when processing CLI commands. This command parser has a feature that replaces the \"@\" character followed by a file path in an argument with the file’s contents (expandAtFiles). This feature is enabled by default; Jenkins 2.441 and earlier as well as LTS 2.426.2 and earlier do not disable it." ],
  "affected_release" : [ {
    "product_name" : "OCP-Tools-4.12-RHEL-8",
    "release_date" : "2024-02-12T00:00:00Z",
    "advisory" : "RHSA-2024:0778",
    "cpe" : "cpe:/a:redhat:ocp_tools:4.12::el8",
    "package" : "jenkins-0:2.426.3.1706515686-3.el8"
  }, {
    "product_name" : "OCP-Tools-4.13-RHEL-8",
    "release_date" : "2024-02-12T00:00:00Z",
    "advisory" : "RHSA-2024:0776",
    "cpe" : "cpe:/a:redhat:ocp_tools:4.13::el8",
    "package" : "jenkins-0:2.426.3.1706516254-3.el8"
  }, {
    "product_name" : "OpenShift Developer Tools and Services for OCP 4.11",
    "release_date" : "2024-02-12T00:00:00Z",
    "advisory" : "RHSA-2024:0775",
    "cpe" : "cpe:/a:redhat:ocp_tools:4.11::el8",
    "package" : "jenkins-0:2.426.3.1706516929-3.el8"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 3.11",
    "fix_state" : "Out of support scope",
    "package_name" : "jenkins",
    "cpe" : "cpe:/a:redhat:openshift:3.11"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-23897\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-23897\nhttp://www.openwall.com/lists/oss-security/2024/01/24/6\nhttps://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314\nhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog" ],
  "name" : "CVE-2024-23897",
  "mitigation" : {
    "value" : "Disabling access to the CLI is expected to prevent exploitation completely. Doing so is strongly recommended to administrators unable to immediately update to Jenkins 2.442, LTS 2.426.3 or LTS 2.440.1. Applying this workaround does not require a Jenkins restart.",
    "lang" : "en:us"
  },
  "csaw" : false
}