Jenkins Security: Advisories, CVEs, and Hardening Jenkins Security: Advisories, CVEs, and Hardening

Security has moved to the center of Jenkins development, with each major version adding new defenses. This guide traces that evolution, examines the critical CVE-2024-23897 CLI vulnerability, and explains why plugin hygiene is now the dominant risk.

Security Evolution Across Jenkins Versions

Security has become increasingly central to Jenkins development, with each major version bringing important enhancements.

Security Features by Version

Security Milestone Timeline

    timeline
    title Jenkins Security Evolution
    2016 : Jenkins 2.0 Release : CSRF Protection<br>Agent Security
    2018 : Content Security Policy : Cross-Site Scripting Protection
    2019 : Permission Segregation : Granular Authorization
    2020 : Secret Obfuscation : Credential Protection
    2021 : Brute Force Protection : Authentication Security
    2022 : Java 11 Required : Modern Security Libraries
    2023 : Pipeline Sandbox Improvements : Script Security
    2024 : CVE-2024-23897 CLI Fix : Java 17 Required<br>Java 11 Dropped
    2025 : New Repo Signing Keys : bcrypt Password Length Enforcement
    2026 : Java 21 Required (LTS 2.555.1) : Java 17 Dropped<br>Java 25 Supported
  

Case Study: CVE-2024-23897 (CLI Arbitrary File Read)

One of the most consequential core vulnerabilities in recent Jenkins history was CVE-2024-23897, disclosed in the Jenkins Security Advisory of January 24, 2024 and rated Critical. Jenkins’ built-in CLI uses the args4j library, whose expandAtFiles feature replaces an argument of the form @ followed by a file path with the contents of that file. Because the feature was enabled by default, an attacker could supply such an argument to read arbitrary files on the controller — and under some conditions chain that primitive toward remote code execution.

• Affected: Jenkins weekly 2.441 and earlier, and LTS 2.426.2 and earlier
• Fixed in: Jenkins 2.442 and LTS 2.426.3, where the fix disables the expandAtFiles feature

The same advisory also covered CVE-2024-23898 (High), in which the CLI WebSocket endpoint lacked origin validation, allowing cross-site WebSocket hijacking (CSWSH).

Where the Risk Lives Now: Plugins, Not Core

Through 2025, the Jenkins project continued to publish security advisories roughly monthly, but the picture shifted in an important way: the majority of Critical and High severity issues were in plugins, not Jenkins core (examples include an OAuth/OIDC authentication-bypass class of issues and a Templating Engine sandbox bypass). The takeaway is that core has hardened considerably, so plugin hygiene is now the dominant security risk: update plugins promptly when fixes ship, and remove plugins you no longer use to shrink the attack surface.

Security Best Practices

Authentication and Authorization

• Security Realm: LDAP/AD integration for enterprise
• Authorization Strategy: Role-based access control
• API Tokens: Limited-scope tokens for automation
• Matrix-based Security: Fine-grained permissions
• SAML/OAuth: Modern SSO integration

Network Security

• Reverse Proxy: TLS termination with Nginx/Apache
• Agent Communication: Encrypted protocols
• Firewall Rules: Control access to controller/agents
• Internal Network: Place in secure network zone
• VPN Access: Restrict remote access

Build Environment Security

• Pipeline Sandbox: Script approval process
• Secrets Management: Credentials plugin usage
• Container Security: Unprivileged containers
• Read-only Filesystems: Where possible
• Principle of Least Privilege: Minimal permissions

This article is part of the Jenkins LTS vs Weekly guide.

References

• Jenkins Security Team. (2024). Jenkins Security Advisory 2024-01-24 (CVE-2024-23897, CVE-2024-23898). Jenkins Security Project.
• Jenkins Security Team. (2026). Jenkins Security Advisories. Jenkins Security Project.