These are Multiple vulnerabilities affecting Jenkins products which could result in Remote Code Execution and Cross-site webSocket hijacking.

CVE-2024-23897 refers to a Critical Vulnerability in the command line interface command parser allowing attackers to read arbitrary files on the Jenkins controller file system, resulting in possible Remote Code Execution.

CVE-2024-23898 refers to a High vulnerability which enables cross-site WebSocket Hijacking in the command line interface, resulting in the potential threat actors to execute CLI command on the Jenkins controller.

A list of affected versions included here: https://www.jenkins.io/security/advisory/2024-01-24/

• Jenkins (Core)
• Git Server Plugin
• GitLab Branch Plugin
• Log Command Plugin
• Matrix Project Plugin
• Qualys Policy Compliance Scanning Connector Plugin
• Red Hat Dependency Analytics Plugin

An attacker could exploit this vulnerability and take control of the affected system.

Administrators are recommended to review their network for use of vulnerability Jenkins Products and upgrade to Jenkins 2.442 or LTS 2.426.3.