On January 24, 2024, Jenkins announced the presence of vulnerability CVE-2024-23897. The vulnerability essentially consists of a series of security weaknesses which can be used in combination to remotely execute code, read files from the server, harvest configuration information that might be used in a further attack, and many other ways.  The attacks all involve abusing the args4j command line parser, which is used by Jenkins, by manipulating user-generated text to cause that library to retrieve files from the server.

According to the announcement, this vulnerability is enabled by default in Jenkins version 2.441 and earlier as well as Jenkins LTS 2.426.2 and earlier.

Shortly after this vulnerability was announced, a proof of concept, enabling the easy exploitation of the vulnerability, was released.  Vulnerabilities with publicly available proofs of concept are typically heavily exploited very quickly. ShadowServer has observed around 45,000 Internet-exposed instances of Jenkins vulnerable to this vulnerability. At least 12,000 of these vulnerable instances can be found in the U.S.

To safeguard information, companies using Jenkins should update to Jenkins version 2.422 and Jenkins LTS 2.426.3 as these updates address the vulnerability.