Giters

raheel0x01 / CVE-2024-23897

Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

CVE-2024-23897

Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.

Exploitation

Follow these steps to execute the exploit:

  1. Grant Execution Permissions to the Script:

    chmod +x run_exploit.sh

  2. Run the Script:

    ./run_exploit.sh

Additional References

To stay abreast of information regarding CVE-2024-23897 and its mitigation, consult the following resources:

  1. CVE-2024-23897 Feed on Feedly:

  2. SecurityOnline Article:

  3. Educational Mitigation Video:

About

Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.

License:MIT License

Languages

Language:C++ 80.8%Language:Shell 19.2%