Skip to main content
close search
site logo
Dive Brief

Popular CI/CD tool Jenkins discloses critical CVE

The open source automation server software is used by more than 11 million developers globally, according to the project’s supporters.

Published Jan. 29, 2024
Matt Kapko's headshot
Senior Reporter
Computer language script and coding on screen.
themotioncloud via Getty Images

Dive Brief:

  • Nearly 45,000 instances of the open-source automation server Jenkins remain exposed and vulnerable to exploitation to a CVE disclosed last week, according to Shadowserver data
  • Jenkins disclosed and detailed the patch of the critical vulnerability, CVE-2024-23897, in a security advisory on Wednesday. The arbitrary file read vulnerability in the command line interface in Jenkins can be exploited by threat actors to achieve remote code execution, Jenkins security team said.
  • Sonar researchers discovered the vulnerability in the CI/CD software and detailed multiple ways threat actors could exploit the CVE to escalate privileges and remotely execute code on the server. 

Dive Insight:

Security researchers are especially concerned about the critical vulnerability in Jenkins because of its broad application.

The open source software has a roughly 44% share of the CI/CD market with an estimated 11 million developers globally, according to the Linux Foundation’s Continuous Delivery Foundation initiative.

Jenkins administrators are strongly encouraged to immediately update to Jenkins 2.442. Organizations that cannot immediately update to the latest version should disable access to the command line interface, which is expected to completely prevent exploitation, according to Jenkins’ advisory.

The open source community also shared steps for organizations to check if their instances are likely affected by the most severe impacts of the CVE.

Filed Under: Vulnerability

Editors' picks

Company Announcements

View all | Post a press release
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Whalebone Ranks Third Straight Year Among Central Europe’s 50 Fastest-Growing Companies
From Whalebone
November 25, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
Editors' picks
Latest in Vulnerability
Industry Dive is an Informa TechTarget business.
© 2024 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.