What is CVE-2024-23898?

CVE-2024-23898 is a vulnerability in Jenkins Project. Published 2024-01-24.

Is CVE-2024-23898 known to be exploited?

9 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Jenkins Project

CVE-2024-23898

Jenkins 2.217 through 2.441 (both inclusive), LTS 2.222.1 through 2.426.2 (both inclusive) does not perform origin validation of requests made through the CLI WebSocket endpoint, resulting in a cross-site WebSocket hijacking (CSWSH) vulner…

EPSS: 0.669 (99.2th percentile) — read the EPSS interpretation.

Affected products

Jenkins Project — versions 0, 2.442, 2.426.3

Public proof-of-concept exploits

davidmgaviria/CVE2_Jenkins_RCE
davidmgaviria/CVE2_
davidmgaviria/davidmgaviria
fkie-cad/nvd-json-data-feeds
jenkinsci-cert/SECURITY-3314-3315
murataydemir/CVE-2024-23897
nomi-sec/PoC-in-GitHub
plzheheplztrying/cve_
tanjiti/sec_

References

Jenkins Security Advisory 2024-01-24 (vendor-advisory)
www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulne…
www.openwall.com/lists/oss-security/2024/01/24/6

Frequently asked questions

What is CVE-2024-23898?: CVE-2024-23898 is a vulnerability in Jenkins Project. Published 2024-01-24.
Is CVE-2024-23898 known to be exploited?: 9 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.