Skip to content
/ CVE-2024-23897 Public

Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.

License

MIT license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

r0xdeadbeef/CVE-2024-23897

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
main.cpp
main.cpp
 
 
run_exploit.sh
run_exploit.sh
 
 

Repository files navigation

CVE-2024-23897

Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.

Exploitation

Follow these steps to execute the exploit:

  1. Grant Execution Permissions to the Script:

    chmod +x run_exploit.sh

  2. Run the Script:

    ./run_exploit.sh

Additional References

To stay abreast of information regarding CVE-2024-23897 and its mitigation, consult the following resources:

  1. CVE-2024-23897 Feed on Feedly:

  2. SecurityOnline Article:

  3. Educational Mitigation Video:

About

Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages