CVE-2024-43044

Jenkins 2.470 and earlier, LTS 2.452.3 and earlier allows agent processes to read arbitrary files from the Jenkins controller file system by using the ClassLoaderProxy#fetchJar method in the Remoting library.

Published: Aug 7, 2024
Updated: May 4, 2025
CVE: CVE-2024-43044
GHSA: GHSA-h856-ffvv-xvr4
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-22
CWE-754

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
org.jenkins-ci.main / remoting	-	3206.3208
org.jenkins-ci.main / remoting	3248	3248.3250
org.jenkins-ci.main / remoting	3256	3256.3258
org.jenkins-ci.main / jenkins-core	-	2.452.4
org.jenkins-ci.main / jenkins-core	2.460	2.462.1
org.jenkins-ci.main / jenkins-core	2.470	2.471
jenkins / jenkins	-	2.471
jenkins / jenkins	-	2.452.4

https://github.com/jenkinsci/jenkins/commit/3f54c41b40db9e4ae7afa4209bc1ea91bb9175c0
https://github.com/jenkinsci/jenkins/commit/5d26b53ad3a5cd8c4a060eef4f56d75e65ca17a5
https://github.com/jenkinsci/jenkins/commit/cec49ce5d58048f66ac3fa88409a0d38dec09bf0
https://github.com/jenkinsci/remoting/commit/3277a8e88c9b807b9a989bd7e9176d2ec9834e47
https://github.com/jenkinsci/remoting/commit/409508a675ffc4ed9681e30bb46c8d9cb375b78c
https://github.com/jenkinsci/remoting/commit/858f3c9af69d4d216b26551ea51dde6e67479bb3
https://www.jenkins.io/security/advisory/2024-08-07/#SECURITY-3430

Vulnerability Database

CVE-2024-43044