CVE-2024-23904 in Log Command Plugin
Summary
by MITRE • 01/24/2024
Jenkins Log Command Plugin 1.0.2 and earlier does not disable a feature of its command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read content from arbitrary files on the Jenkins controller file system.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/21/2025
The vulnerability identified as CVE-2024-23904 affects the Jenkins Log Command Plugin version 1.0.2 and earlier, presenting a critical security risk that enables unauthenticated attackers to access arbitrary files on the Jenkins controller's file system. This issue stems from a dangerous feature within the command parser that automatically substitutes '@' character followed by a file path with the actual file contents, creating a path traversal and information disclosure vulnerability. The flaw allows attackers to exploit this functionality without requiring authentication credentials, making it particularly dangerous in environments where Jenkins is exposed to untrusted networks or users.
The technical implementation of this vulnerability operates through the command parser's handling of arguments that begin with the '' symbol, which is traditionally used in various command-line interfaces to indicate that the following content should be treated as a file path containing command arguments. When Jenkins processes commands through the Log Command Plugin, it fails to properly sanitize or disable this feature, allowing attackers to specify any file path after the '' character. The plugin then automatically reads the contents of that file and incorporates them into the command execution context, effectively enabling arbitrary file read operations. This behavior violates fundamental security principles and represents a classic case of unsafe input handling and privilege escalation through command injection.
The operational impact of this vulnerability extends beyond simple information disclosure, as attackers can potentially access sensitive files such as configuration files, credential stores, build scripts, or system files that may contain authentication tokens, API keys, or other confidential information. This vulnerability can be exploited by unauthenticated attackers who gain access to the Jenkins web interface or command execution endpoints, potentially leading to complete system compromise if sensitive credentials or configuration data are exposed. The attack surface is particularly concerning in continuous integration environments where Jenkins controllers often contain critical build artifacts, deployment configurations, and authentication mechanisms that could be leveraged for further attacks within the organization's infrastructure.
Organizations should immediately upgrade to a patched version of the Jenkins Log Command Plugin to address this vulnerability, as no effective workarounds exist for disabling the problematic parsing behavior without updating the plugin itself. The vulnerability aligns with CWE-22 Path Traversal and CWE-352 Cross-Site Request Forgery categories, representing a combination of file system access issues and authentication bypass concerns. From an attacker perspective, this vulnerability maps to ATT&CK technique T1005 Data from Local System and T1083 File and Directory Discovery, as it enables unauthorized access to file system contents and can be used to enumerate sensitive files. Security teams should implement network segmentation to limit access to Jenkins controllers, conduct thorough file system audits to identify potentially compromised files, and monitor for suspicious command execution patterns that may indicate exploitation attempts. The vulnerability also highlights the importance of validating and sanitizing all user-provided input, particularly in plugins that handle command execution or parsing, and demonstrates the critical need for regular security updates and vulnerability assessments in CI/CD environments.