{"id":"CVE-2024-23898","details":"Jenkins 2.217 through 2.441 (both inclusive), LTS 2.222.1 through 2.426.2 (both inclusive) does not perform origin validation of requests made through the CLI WebSocket endpoint, resulting in a cross-site WebSocket hijacking (CSWSH) vulnerability, allowing attackers to execute CLI commands on the Jenkins controller.","aliases":["BIT-jenkins-2024-23898","GHSA-53ph-2r2x-vqw8"],"modified":"2026-04-10T05:09:42.400390Z","published":"2024-01-24T18:15:09.420Z","related":["CGA-j37c-5pjm-f873"],"references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2024/01/24/6"},{"type":"ADVISORY","url":"https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3315"},{"type":"ARTICLE","url":"https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jenkinsci/jenkins","events":[{"introduced":"3d8a846a753478d75141de0edd3283d7567dbf50"},{"last_affected":"3b0de10df3bedba515e13032104d4d84f83045be"},{"introduced":"d66bd8595e531749e842274a806eabab5cc16a32"},{"last_affected":"3eb70099423f93c9de29fca3c6b5b6efd2847ad0"}],"database_specific":{"versions":[{"introduced":"2.217"},{"last_affected":"2.441"},{"introduced":"2.222.1"},{"last_affected":"2.426.2"}]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-23898.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}