Skip to content
This repository has been archived by the owner on Feb 20, 2024. It is now read-only.

Workaround for disabling the CLI to mitigate SECURITY-3314/CVE-2024-23897 and SECURITY-3315/CVE-2024-23898

Notifications You must be signed in to change notification settings


Folders and files

Last commit message
Last commit date

Latest commit



2 Commits

Repository files navigation

SECURITY-3314/SECURITY-3315 Mitigation

This repository documents mitigations preventing exploitation of SECURITY-3314 and SECURITY-3315 on affected instances.


Access to the CLI needs to be disabled. Both of the following steps must be taken:


The remoting-based CLI has been removed from Jenkins five years ago. Related instructions are not included in this documentation. Administrators of Jenkins instances with remoting-based CLI are strongly advised to urgently upgrade to more recent releases.


The instructions below are only intended as a short-term workaround, even if you do not use the CLI. Due to Jenkins’s extensibility, it is possible that other ways to navigate to the affected HTTP endpoint exist.


Disable the CLI endpoint

If Jenkins is currently running, execute the provided script disable-cli.groovy in the Script Console. Doing so will remove the CLI HTTP endpoint until Jenkins is restarted. Create a Post-Initialization Groovy Hook Script with the contents of disable-cli.groovy to ensure the script is executed whenever Jenkins is (re)started.


To confirm the script worked, navigate to Manage Jenkins » Jenkins CLI.

Without the mitigation applied, general CLI documentation including an overview of available CLI commands is shown. With the mitigation applied, an HTTP 404 Not Found error is shown.

Disable the SSH Port

The SSH Server Plugin provides access to the Jenkins CLI via SSH. This is a plugin whose functionality used to be part of Jenkins core, so it may be installed even if you’ve never explicitly installed it.

Navigate to Manage Jenkins » Security and ensure that the SSHD Port setting in the SSH Server section is set to Disable.

Doing this is recommended even if you choose to disable or uninstall the plugin, as plugin management functionality may reinstall or re-enable the plugin to ensure plugin dependencies are satisfied.

Alternatively, you can add the following snippet to the end of the disable-cli.groovy script:

// Disable CLI access over SSH Server Plugin
if (j.getPlugin('sshd')) {


No explicit configuration is necessary with the supported UI option to disable the SSH Port, but you can attempt to connect to the previously configured SSH CLI port. The expected outcome is a failure to establish a connection. Note that no unauthenticated use of the SSH CLI is possible, so not every error is an indication of it being successfully disabled. These are examples of an expected (safe) result (assuming port 2222 was previously configured):

$ ssh -p 2222
ssh: connect to host port 2222: Connection refused
$ ssh -p 2222
kex_exchange_identification: read: Connection reset by peer
Connection reset by … port 2222


Workaround for disabling the CLI to mitigate SECURITY-3314/CVE-2024-23897 and SECURITY-3315/CVE-2024-23898