CVE-2024-23898

Jenkins 2.217 through 2.441 (both inclusive), LTS 2.222.1 through 2.426.2 (both inclusive) does not perform origin validation of requests made through the CLI WebSocket endpoint, resulting in a cross-site WebSocket hijacking (CSWSH) vulnerability, allowing attackers to execute CLI commands on the Jenkins controller.

Published: Jan 24, 2024
Updated: May 4, 2025
CVE: CVE-2024-23898
GHSA: GHSA-53ph-2r2x-vqw8
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWEs:

CWE-346

Affected Software
References

Software	From	Fixed in
org.jenkins-ci.main / jenkins-core	2.217	2.426.3
org.jenkins-ci.main / jenkins-core	2.427	2.442
org.jenkins-ci.main / jenkins-core	2.441	2.441.x
jenkins / jenkins	2.222.1	2.426.2.x
jenkins / jenkins	2.217	2.441.x

http://www.openwall.com/lists/oss-security/2024/01/24/6
https://github.com/jenkinsci/jenkins/commit/de450967f38398169650b55c002f1229a3fcdb1b
https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3315
https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins
https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/

Vulnerability Database

289,599

CVE-2024-23898