```md ## Jenkins Security Advisory 2024-01-24 ### Vulnerabilities Announced: - Jenkins (core) - Git server Plugin - GitLab Branch Source Plugin - Log Command Plugin - Matrix Project Plugin - Qualys Policy Compliance Scanning Connector Plugin - Red Hat Dependency Analytics Plugin ### Descriptions #### Arbitrary File Read Vulnerability Through the CLI Can Lead to RCE - **SEVERITY-3314 / CVE-2024-23897** - **Severity (CVSS): Critical** **Description:** Jenkins includes a built-in command line interface (CLI) that allows access to Jenkins from a script or shell environment. Jenkins uses the args4j library to parse command arguments and options on the Jenkins controller when processing CLI commands. This command parser includes a feature that replaces an `@` character followed by a file path in an argument with the contents of the specified file (expandAtFiles). This feature is enabled by default, and Jenkins versions 2.441 and earlier, as well as LTS 2.426.2 and earlier, do not disable it. This vulnerability enables attackers to read arbitrary files on the Jenkins controller’s file system using the default character encoding of the Jenkins controller process. - Attackers with Overall/Read permission can read entire files. - Attackers without Overall/Read permission can read the first few lines of files. The number of lines that can be read depends on the available CLI commands. As of the publication of this advisory, the Jenkins security team has identified methods to read the first three lines of files in recent Jenkins releases without any plugins installed, and has not found any plugins that would increase this line count. ### Fixes - Jenkins 2.442 - Jenkins LTS 2.426.3 - Jenkins LTS 2.440.1 ### Workarounds For details on recommended workarounds for each vulnerability, see the respective sections in the advisory. ```