Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.
https://medium.com/@KonradDaWo/htb-builder-writeup-808de3aae947?source=rss------cve-5
https://www.rapid7.com/blog/post/2024/04/05/metasploit-weekly-wrap-up-04-05-2024/
https://medium.com/@fre1si/builder-htb-write-up-143ad7fde347?source=rss------hacking-5
https://www.hivepro.com/threat-advisory/critical-remote-code-execution-flaws-uncovered-in-jenkins/
https://www.theregister.com/2024/01/30/jenkins_rce_flaw_patch/
https://thecyberthrone.in/2024/01/29/poc-for-jenkins-cve-2024-23897-made-public/
https://securityaffairs.com/158251/hacking/cve-2024-23897-poc-exploits.html?web_view=true
https://securityaffairs.com/158251/hacking/cve-2024-23897-poc-exploits.html
https://securityaffairs.com/158151/security/jenkins-critical-flaw.html
https://thehackernews.com/2024/01/critical-jenkins-vulnerability-exposes.html?&web_view=true
https://thecyberthrone.in/2024/01/25/jenkins-fixes-critical-rce-vulnerability-cve-2024-23897/
https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314
http://www.openwall.com/lists/oss-security/2024/01/24/6
http://packetstormsecurity.com/files/176839/Jenkins-2.441-LTS-2.426.3-CVE-2024-23897-Scanner.html