{"repro_id":"REPRO-2026-00200","version":8,"title":"Jenkins CLI arbitrary file read via @ argument expansion","repro_type":"security","status":"published","severity":"critical","cvss_score":9.8,"description":"Jenkins core CLI uses args4j’s `expandAtFiles` feature to replace arguments prefixed with `@` with file contents. In Jenkins 2.441 and earlier (weekly) and 2.426.2 and earlier (LTS), this feature is enabled by default, allowing unauthenticated attackers to read the first few lines of arbitrary files and users with Overall/Read permission to read entire files. Leaked secrets can enable further compromise, including RCE.","cve_id":"CVE-2024-23897","cwe_id":"CWE-22","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-23897","package":{"name":"jenkins","ecosystem":"generic","affected_versions":"weekly <= 2.441; LTS <= 2.426.2","fixed_version":"2.442; 2.426.3; 2.440.1"},"reproduced_at":"2026-07-02T05:44:58.409482+00:00","duration_secs":1291.0,"tool_calls":73,"handoffs":1,"total_cost_usd":1.64051395,"agent_costs":{"hypothesis_generator":0.0131224,"judge":0.018676650000000003,"repro":1.56074643,"support":0.04796847},"cost_breakdown":{"hypothesis_generator":{"accounts/fireworks/models/glm-5p2":0.0131224},"judge":{"gpt-5.4-mini":0.018676650000000003},"repro":{"accounts/fireworks/routers/glm-5p2-fast":1.56074643},"support":{"accounts/fireworks/routers/glm-5p2-fast":0.04796847}},"quality":{"confidence":"high","idempotent_verified":false,"community_verifications":0},"published_at":"2026-07-02T05:44:58.908155+00:00","retracted":false,"artifacts":[{"path":"bundle/repro/reproduction_steps.sh","filename":"reproduction_steps.sh","size":19742,"category":"reproduction_script"},{"path":"bundle/repro/rca_report.md","filename":"rca_report.md","size":6058,"category":"analysis"},{"path":"bundle/repro/runtime_manifest.json","filename":"runtime_manifest.json","size":905,"category":"other"},{"path":"bundle/repro/validation_verdict.json","filename":"validation_verdict.json","size":719,"category":"other"},{"path":"bundle/ticket.json","filename":"ticket.json","size":3819,"category":"other"},{"path":"bundle/ticket.md","filename":"ticket.md","size":3358,"category":"ticket"},{"path":"bundle/logs/docker_vuln.log","filename":"docker_vuln.log","size":2679,"category":"log"},{"path":"bundle/logs/docker_fixed.log","filename":"docker_fixed.log","size":3089,"category":"log"},{"path":"bundle/logs/whoami_fixed.out","filename":"whoami_fixed.out","size":53,"category":"other"},{"path":"bundle/logs/fixed_attempt2.log","filename":"fixed_attempt2.log","size":45,"category":"log"},{"path":"bundle/logs/vuln_attempt2.log","filename":"vuln_attempt2.log","size":2333,"category":"log"},{"path":"bundle/logs/cli_fixed.out","filename":"cli_fixed.out","size":45,"category":"other"},{"path":"bundle/logs/fixed_passwd_ground_truth.txt","filename":"fixed_passwd_ground_truth.txt","size":888,"category":"other"},{"path":"bundle/logs/cli_vuln.out","filename":"cli_vuln.out","size":2333,"category":"other"},{"path":"bundle/logs/vuln_passwd_ground_truth.txt","filename":"vuln_passwd_ground_truth.txt","size":888,"category":"other"},{"path":"bundle/logs/fixed_attempt1.log","filename":"fixed_attempt1.log","size":45,"category":"log"},{"path":"bundle/logs/whoami_vuln.out","filename":"whoami_vuln.out","size":53,"category":"other"},{"path":"bundle/logs/vuln_attempt1.log","filename":"vuln_attempt1.log","size":2333,"category":"log"},{"path":"bundle/logs/reproduction_steps.log","filename":"reproduction_steps.log","size":3328,"category":"log"},{"path":"bundle/logs/cli_vuln_help.out","filename":"cli_vuln_help.out","size":3273,"category":"other"}]}