PoC Releases for Jenkins CVE-2024-23897 Remote Code Execution Flaw

Numerous publicly available Proof-of-Concept (PoC) exploits for a critical vulnerability in Jenkins, which allow an unauthenticated attacker to read arbitrary files, have emerged, and cyber criminals are already actively leveraging these flaws in their attacks.

On January 24, 2024, Jenkins released patches for nine security vulnerabilities and published advisories detailing various attack scenarios, exploitation methods, descriptions of the fixes, and potential workarounds for those unable to apply updates.

CVE-2020-2100

Among these patched vulnerabilities, the critical CVE-2024-23897 stands out. It leads to Remote Code Execution (RCE) and enables reading arbitrary files in the Jenkins controller’s file system.

With extensive information about Jenkins’ shortcomings, many security researchers have replicated certain attack scenarios and created functional PoC exploits for CVE-2024-23897, published on GitHub [1, 2]. The effectiveness of these PoCs has been verified, so attackers scanning open servers are already actively trying these attack scenarios with minimal or no modifications. Some researchers report that their Jenkins honeypots have been targeted, suggesting that hackers have begun to exploit these vulnerabilities.