{"id":"CVE-2024-23898","details":"Jenkins 2.217 through 2.441 (both inclusive), LTS 2.222.1 through 2.426.2 (both inclusive) does not perform origin validation of requests made through the CLI WebSocket endpoint, resulting in a cross-site WebSocket hijacking (CSWSH) vulnerability, allowing attackers to execute CLI commands on the Jenkins controller.","aliases":["BIT-jenkins-2024-23898","GHSA-53ph-2r2x-vqw8"],"modified":"2026-03-14T12:31:31.263902Z","published":"2024-01-24T18:15:09.420Z","related":["CGA-j37c-5pjm-f873"],"references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2024/01/24/6"},{"type":"ADVISORY","url":"https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3315"},{"type":"ARTICLE","url":"https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jenkinsci/jenkins","events":[{"introduced":"3d8a846a753478d75141de0edd3283d7567dbf50"},{"last_affected":"3b0de10df3bedba515e13032104d4d84f83045be"},{"introduced":"d66bd8595e531749e842274a806eabab5cc16a32"},{"last_affected":"3eb70099423f93c9de29fca3c6b5b6efd2847ad0"}],"database_specific":{"versions":[{"introduced":"2.217"},{"last_affected":"2.441"},{"introduced":"2.222.1"},{"last_affected":"2.426.2"}]}}],"versions":["jenkins-2.176.4","jenkins-2.190.1","jenkins-2.190.2","jenkins-2.190.3","jenkins-2.204.1","jenkins-2.204.2","jenkins-2.204.3","jenkins-2.204.4","jenkins-2.204.5","jenkins-2.204.6","jenkins-2.217","jenkins-2.218","jenkins-2.219","jenkins-2.220","jenkins-2.221","jenkins-2.222","jenkins-2.222.1","jenkins-2.222.3","jenkins-2.222.4","jenkins-2.223","jenkins-2.224","jenkins-2.225","jenkins-2.226","jenkins-2.227","jenkins-2.228","jenkins-2.229","jenkins-2.230","jenkins-2.231","jenkins-2.232","jenkins-2.233","jenkins-2.234","jenkins-2.235","jenkins-2.235.1","jenkins-2.235.2","jenkins-2.235.3","jenkins-2.236","jenkins-2.237","jenkins-2.238","jenkins-2.239","jenkins-2.240","jenkins-2.241","jenkins-2.242","jenkins-2.243","jenkins-2.244","jenkins-2.245","jenkins-2.246","jenkins-2.247","jenkins-2.248","jenkins-2.249","jenkins-2.250","jenkins-2.251","jenkins-2.252","jenkins-2.253","jenkins-2.254","jenkins-2.255","jenkins-2.256","jenkins-2.257","jenkins-2.258","jenkins-2.259","jenkins-2.260","jenkins-2.261","jenkins-2.262","jenkins-2.263","jenkins-2.264","jenkins-2.265","jenkins-2.266","jenkins-2.267","jenkins-2.268","jenkins-2.269","jenkins-2.270","jenkins-2.271","jenkins-2.272","jenkins-2.273","jenkins-2.274","jenkins-2.275","jenkins-2.276","jenkins-2.277","jenkins-2.278","jenkins-2.279","jenkins-2.280","jenkins-2.281","jenkins-2.282","jenkins-2.283","jenkins-2.284","jenkins-2.285","jenkins-2.286","jenkins-2.287","jenkins-2.288","jenkins-2.289","jenkins-2.290","jenkins-2.291","jenkins-2.292","jenkins-2.293","jenkins-2.294","jenkins-2.295","jenkins-2.296","jenkins-2.297","jenkins-2.298","jenkins-2.299","jenkins-2.300","jenkins-2.301","jenkins-2.302","jenkins-2.303","jenkins-2.304","jenkins-2.305","jenkins-2.306","jenkins-2.307","jenkins-2.308","jenkins-2.309","jenkins-2.310","jenkins-2.311","jenkins-2.312","jenkins-2.313","jenkins-2.314","jenkins-2.315","jenkins-2.316","jenkins-2.317","jenkins-2.318","jenkins-2.319","jenkins-2.320","jenkins-2.321","jenkins-2.322","jenkins-2.323","jenkins-2.324","jenkins-2.325","jenkins-2.326","jenkins-2.327","jenkins-2.328","jenkins-2.329","jenkins-2.330","jenkins-2.331","jenkins-2.332","jenkins-2.333","jenkins-2.334","jenkins-2.335","jenkins-2.336","jenkins-2.337","jenkins-2.338","jenkins-2.339","jenkins-2.340","jenkins-2.341","jenkins-2.342","jenkins-2.343","jenkins-2.344","jenkins-2.345","jenkins-2.346","jenkins-2.347","jenkins-2.348","jenkins-2.349","jenkins-2.350","jenkins-2.351","jenkins-2.352","jenkins-2.353","jenkins-2.354","jenkins-2.355","jenkins-2.356","jenkins-2.357","jenkins-2.358","jenkins-2.359","jenkins-2.360","jenkins-2.361","jenkins-2.362","jenkins-2.363","jenkins-2.364","jenkins-2.365","jenkins-2.366","jenkins-2.367","jenkins-2.368","jenkins-2.369","jenkins-2.370","jenkins-2.371","jenkins-2.372","jenkins-2.373","jenkins-2.374","jenkins-2.375","jenkins-2.376","jenkins-2.377","jenkins-2.378","jenkins-2.379","jenkins-2.380","jenkins-2.381","jenkins-2.382","jenkins-2.383","jenkins-2.384","jenkins-2.385","jenkins-2.386","jenkins-2.387","jenkins-2.388","jenkins-2.389","jenkins-2.390","jenkins-2.391","jenkins-2.392","jenkins-2.393","jenkins-2.394","jenkins-2.395","jenkins-2.396","jenkins-2.397","jenkins-2.398","jenkins-2.399","jenkins-2.400","jenkins-2.401","jenkins-2.402","jenkins-2.403","jenkins-2.404","jenkins-2.405","jenkins-2.406","jenkins-2.407","jenkins-2.408","jenkins-2.409","jenkins-2.410","jenkins-2.411","jenkins-2.412","jenkins-2.413","jenkins-2.414","jenkins-2.415","jenkins-2.416","jenkins-2.417","jenkins-2.418","jenkins-2.419","jenkins-2.420","jenkins-2.421","jenkins-2.422","jenkins-2.423","jenkins-2.424","jenkins-2.425","jenkins-2.426","jenkins-2.426.1","jenkins-2.426.1-rc","jenkins-2.426.1-rc-2","jenkins-2.426.2","jenkins-2.426.2-rc-1","jenkins-2.427","jenkins-2.428","jenkins-2.429","jenkins-2.430","jenkins-2.431","jenkins-2.432","jenkins-2.433","jenkins-2.434","jenkins-2.435","jenkins-2.436","jenkins-2.437","jenkins-2.438","jenkins-2.439","jenkins-2.440","jenkins-2.441","list"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-23898.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}