CVE-2024-23897

Related Files

Jenkins cli Ampersand Replacement Arbitrary File Read

Posted Aug 31, 2024

Authored by h00die, binganao, h4x0r-dz, Vozec, Yaniv Nizry | Site metasploit.com

This Metasploit module utilizes the Jenkins cli protocol to run the help command. The cli is accessible with read-only permissions by default, which are all thats required. Jenkins cli utilizes args4js parseArgument, which calls expandAtFiles to replace any @<filename> with the contents of a file. We are then able to retrieve the error message to read up to the first two lines of a file. Exploitation by hand can be done with the cli, see markdown documents for additional instructions. There are a few exploitation oddities: 1. The injection point for the help command requires 2 input arguments. When the expandAtFiles is called, each line of the FILE_PATH becomes an input argument. If a file only contains one line, it will throw an error: ERROR: You must authenticate to access this Jenkins. However, we can pad out the content by supplying a first argument. 2. There is a strange timing requirement where the download (or first) request must get to the server first, but the upload (or second) request must be very close behind it. From testing against the docker image, it was found values between .01 and 1.9 were viable. Due to the round trip time of the first request and response happening before request 2 would be received, it is necessary to use threading to ensure the requests happen within rapid succession. Files of value: * /var/jenkins_home/secret.key * /var/jenkins_home/secrets/master.key * /var/jenkins_home/secrets/initialAdminPassword * /etc/passwd * /etc/shadow * Project secrets and credentials * Source code, build artifacts.

tags | exploit, protocol

advisories | CVE-2024-23897

SHA-256 | 8799f2e8f0af3fd5eaa3690edb0e303a727a1d5ed7c421cade67b080436d71e9

Download | Favorite | View

Jenkins 2.441 Local File Inclusion

Posted Apr 15, 2024

Authored by Matisse Beckandt

Jenkins version 2.441 suffers from a local file inclusion vulnerability.

tags | exploit, local, file inclusion

advisories | CVE-2024-23897

SHA-256 | bd541e95b84e90dc4cbb0bfe35af5cd5870fc359b6d836f3a3eb70857003a87a

Download | Favorite | View

Jenkins 2.441 / LTS 2.426.3 Arbitrary File Read

Posted Jan 29, 2024

Authored by binganao | Site github.com

Jenkins versions 2.441 and below and LTS 2.426.3 and below remote arbitrary file read proof of concept exploit written in Python.

tags | exploit, remote, arbitrary, proof of concept, python

advisories | CVE-2024-23897

SHA-256 | 4fdefdc8a91925284359a1beec765f58e6f6a5a76aa3e27c5a5a2fb4ba6cd562

Download | Favorite | View

Jenkins 2.441 / LTS 2.426.3 CVE-2024-23897 Scanner

Posted Jan 29, 2024

Authored by yoryio | Site github.com

Jenkins versions 2.441 and LTS 2.426.3 arbitrary file read scanner.

tags | exploit, arbitrary

advisories | CVE-2024-23897

SHA-256 | 0a161df23c6bac97a5923092b79fd307c231d11a8c0ec701df49569cfd362dfc

Download | Favorite | View