CVE-2024-23904 Overview
CVE-2024-23904 is an arbitrary file read vulnerability affecting Jenkins Log Command Plugin version 1.0.2 and earlier. The vulnerability exists because the plugin does not disable a feature of its command parser that replaces an '@' character followed by a file path in an argument with the file's contents. This allows unauthenticated attackers to read content from arbitrary files on the Jenkins controller file system.
Critical Impact
Unauthenticated attackers can read sensitive files from the Jenkins controller, potentially exposing credentials, configuration files, private keys, and other sensitive information stored on the server.
Affected Products
- Jenkins Log Command Plugin version 1.0.2 and earlier
- Jenkins installations with vulnerable Log Command Plugin installed
Discovery Timeline
- 2024-01-24 - CVE-2024-23904 published to NVD
- 2024-01-24 - Jenkins releases security advisory (SECURITY-3334)
- 2025-06-20 - Last updated in NVD database
Technical Details for CVE-2024-23904
Vulnerability Analysis
This vulnerability falls under the Path Traversal (CWE-22) category. The Jenkins Log Command Plugin includes a command parser that has a dangerous feature enabled by default: when processing command arguments, if the parser encounters an '@' character followed by a file path, it automatically replaces that entire sequence with the contents of the referenced file. This behavior, while potentially useful in legitimate scenarios, becomes a critical security flaw when exposed to unauthenticated users.
The attack can be executed remotely over the network without requiring any user interaction or prior authentication. An attacker who successfully exploits this vulnerability gains read access to arbitrary files on the Jenkins controller file system, limited only by the permissions of the Jenkins process.
Root Cause
The root cause of this vulnerability is the failure to disable a potentially dangerous feature in the command parser used by the Log Command Plugin. The '@' file expansion feature is a convenience mechanism that was never intended to be accessible to unauthenticated users. The plugin developers did not implement proper access controls or disable this feature, leaving it exposed to exploitation.
Attack Vector
The attack is network-based and requires no authentication. An attacker can craft malicious requests to the Jenkins controller that include specially formatted arguments with the '@' prefix followed by a target file path. The command parser processes these arguments before any meaningful access control checks occur, reading the file contents and incorporating them into the response.
Sensitive files that could be targeted include:
- Jenkins configuration files containing credentials
- SSH private keys stored on the system
- Environment files with API tokens or secrets
- System configuration files such as /etc/passwd
- Application source code or deployment scripts
Detection Methods for CVE-2024-23904
Indicators of Compromise
- Unusual HTTP requests to Jenkins endpoints containing '@' characters followed by file paths in parameters
- Access log entries showing requests with patterns like @/etc/passwd or @/var/jenkins_home/secrets/
- Unexpected file access events on the Jenkins controller, particularly to sensitive configuration directories
- Error messages in Jenkins logs indicating file access attempts to system paths
Detection Strategies
- Monitor Jenkins access logs for suspicious request patterns containing '@' characters followed by path-like strings
- Implement web application firewall (WAF) rules to detect and block requests with file path injection patterns
- Review Jenkins audit logs for unauthenticated access attempts to plugin endpoints
- Deploy file integrity monitoring on critical Jenkins configuration directories
Monitoring Recommendations
- Enable verbose logging for Jenkins plugin activity to capture detailed request information
- Set up alerts for access to sensitive file paths on the Jenkins controller file system
- Monitor network traffic to Jenkins for anomalous request patterns from unknown sources
- Implement centralized log collection to correlate events across Jenkins instances
How to Mitigate CVE-2024-23904
Immediate Actions Required
- Update Jenkins Log Command Plugin to a patched version immediately
- Review Jenkins access logs for evidence of exploitation attempts
- Audit all plugins installed on Jenkins for similar vulnerabilities
- Consider temporarily disabling the Log Command Plugin if an update is not immediately available
- Implement network-level access controls to restrict who can reach the Jenkins controller
Patch Information
Jenkins has released a security advisory addressing this vulnerability. Organizations should update the Log Command Plugin to the latest available version that addresses SECURITY-3334. The official security advisory is available at the Jenkins Security Advisory page.
Additional technical details and discussion can be found on the OpenWall Security Mailing List.
Workarounds
- Uninstall the Log Command Plugin if it is not required for operations
- Implement strict network segmentation to limit access to the Jenkins controller
- Deploy a reverse proxy with WAF capabilities to filter malicious requests
- Enable Jenkins security realm and authorization strategy to add additional access control layers
- Restrict the Jenkins process permissions to minimize the impact of file read attempts
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
