Jenkins Security Advisory 2024-01-24
Affects Jenkins Core Affects plugin: Git server Affects plugin: GitLab Branch Source Affects plugin: Log Command Affects plugin: Matrix Project Affects plugin: Qualys Policy Compliance Scanning Connector Affects plugin: Red Hat Dependency Analytics
CSIRTS triage
- What
- Multiple vulnerabilities affecting various Jenkins plugins have been identified.
- Who is affected
- Users of Jenkins Core and its plugins.
- Urgency
- Remediation is urgent as exploitation is confirmed.
- Action
- Apply the security updates as per the advisory.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch Jenkins Core
Get an email when a new Jenkins Core advisory drops — max one per day, one-click unsubscribe.
Details
Original advisory: https://www.jenkins.io/security/advisory/2024-01-24/
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Exploitation likely imminentCVE-2024-23897EPSS puts this in the most-targeted tier (100.0% 30-day exploitation probability). Prioritize alongside KEV items. Riskier than 100% of all scored CVEs.
- Exploitation likely imminentCVE-2024-23898EPSS puts this in the most-targeted tier (66.9% 30-day exploitation probability). Prioritize alongside KEV items. Riskier than 99% of all scored CVEs.
- Moderate exploitation riskCVE-2024-238991.3% 30-day exploitation probability. Patch within normal cadence, watch for KEV listing. Riskier than 66% of all scored CVEs.
- Low exploitation riskCVE-2024-239000.69% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 48% of all scored CVEs.
- Low exploitation riskCVE-2024-239010.46% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 37% of all scored CVEs.
- Low exploitation riskCVE-2024-239020.32% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 24% of all scored CVEs.
- Low exploitation riskCVE-2024-239030.50% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 39% of all scored CVEs.
- Low exploitation riskCVE-2023-61480.46% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 37% of all scored CVEs.
- Low exploitation riskCVE-2023-61470.55% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 42% of all scored CVEs.
- Low exploitation riskCVE-2024-239050.56% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 43% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2024-23897 | coverage & exploitation status | NVD · CVE.org |
| CVE-2024-23898 | coverage & exploitation status | NVD · CVE.org |
| CVE-2024-23899 | coverage & exploitation status | NVD · CVE.org |
| CVE-2024-23900 | coverage & exploitation status | NVD · CVE.org |
| CVE-2024-23901 | coverage & exploitation status | NVD · CVE.org |
| CVE-2024-23902 | coverage & exploitation status | NVD · CVE.org |
| CVE-2024-23903 | coverage & exploitation status | NVD · CVE.org |
| CVE-2023-6148 | coverage & exploitation status | NVD · CVE.org |
| CVE-2023-6147 | coverage & exploitation status | NVD · CVE.org |
| CVE-2024-23905 | coverage & exploitation status | NVD · CVE.org |
| CVE-2024-23904 | coverage & exploitation status | NVD · CVE.org |
Same CVEs, other sources
How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.
- criticalexploitedCVE-2024-23897: Jenkins Command Line Interface (CLI) Path Traversal Vulnerabilitycisa-kev
More from Jenkins Security Advisories
- unknownJenkins Security Advisory 2026-06-242026-06-24
- unknownJenkins Security Advisory 2026-06-102026-06-10
- unknownJenkins Security Advisory 2026-05-272026-05-27
- unknownJenkins Security Advisory 2026-04-292026-04-29
- unknownJenkins Security Advisory 2026-03-182026-03-18