In the fast-paced landscape of open-source CI/CD automation, Jenkins, a stalwart in the field, has recently overcome a significant security challenge by addressing nine vulnerabilities, including the critical CVE-2024-23897. This particular flaw, identified as an arbitrary file read vulnerability within the CLI, could potentially lead to remote code execution, exposing Jenkins instances to malicious actors. Stemming from the args4j library, the command parser’s expandAtFiles feature, enabled by default in earlier versions of Jenkins, was identified as the culprit. Exploiting this vulnerability, attackers could read arbitrary files on the Jenkins controller file system, posing a serious threat. Credit goes to security researcher Yaniv Nizry for discovering and reporting the flaw, leading to its prompt resolution in Jenkins 2.442 and LTS 2.426.3. As an interim precaution, users are advised to temporarily disable CLI access. This security development underscores Jenkins’ ongoing commitment to fortifying its defenses, following closely on the heels of addressing CorePlague vulnerabilities nearly a year ago. In the blog below, it delves into the specifics of these resolved vulnerabilities, offering insights into the implications for CI/CD practitioners and strategies to secure Jenkins environments.