# N/A
## 漏洞概述
Jenkins 2.441 及更早版本和 LTS 2.426.2 及更早版本中的 CLI 命令解析器未禁用一个特性,该特性会用文件内容替换命令参数中的 '@' 符号后面跟随的文件路径,这允许未经身份验证的攻击者读取 Jenkins 控制器文件系统上的任意文件。
## 影响版本
- Jenkins 2.441 及更早版本
- LTS 2.426.2 及更早版本
## 漏洞细节
漏洞源于 CLI 命令解析器中未禁用的一个特性,该特性会将命令参数中以 '@' 符号开头并跟随文件路径的内容替换为该文件的实际内容。攻击者可以利用这一点,插入恶意参数导致解析器读取并泄露任意文件。
## 影响
- 允许未经身份验证的远程攻击者读取 Jenkins 控制器文件系统上的任意文件。
- 可能导致敏感信息泄露。
是否为 Web 类漏洞: 是
判断理由:
| # | POC 描述 | 源链接 | 神龙链接 |
|---|---|---|---|
| 1 | Workaround for disabling the CLI to mitigate SECURITY-3314/CVE-2024-23897 and SECURITY-3315/CVE-2024-23898 | https://github.com/jenkinsci-cert/SECURITY-3314-3315 | POC详情 |
| 2 | CVE-2024-23897 (CVSS 9.8): Critical Jenkins Security Vulnerability, RCE POC | https://github.com/forsaken0127/CVE-2024-23897 | POC详情 |
| 3 | None | https://github.com/binganao/CVE-2024-23897 | POC详情 |
| 4 | CVE-2024-23897 | https://github.com/h4x0r-dz/CVE-2024-23897 | POC详情 |
| 5 | CVE-2024-23897 | Jenkins <= 2.441 & <= LTS 2.426.2 PoC and scanner. | https://github.com/xaitax/CVE-2024-23897 | POC详情 |
| 6 | None | https://github.com/vmtyan/poc-cve-2024-23897 | POC详情 |
| 7 | Scanner for CVE-2024-23897 - Jenkins | https://github.com/yoryio/CVE-2024-23897 | POC详情 |
| 8 | CVE-2024-23897 jenkins-cli | https://github.com/CKevens/CVE-2024-23897 | POC详情 |
| 9 | on this git you can find all information on the CVE-2024-23897 | https://github.com/iota4/PoC-jenkins-rce_CVE-2024-23897 | POC详情 |
| 10 | CVE-2024-23897 - Jenkins 任意文件读取 利用工具 | https://github.com/wjlin0/CVE-2024-23897 | POC详情 |
| 11 | This repository presents a proof-of-concept of CVE-2024-23897 | https://github.com/Vozec/CVE-2024-23897 | POC详情 |
| 12 | Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system. | https://github.com/raheel0x01/CVE-2024-23897 | POC详情 |
| 13 | Jenkins POC of Arbitrary file read vulnerability through the CLI can lead to RCE | https://github.com/viszsec/CVE-2024-23897 | POC详情 |
| 14 | None | https://github.com/jopraveen/CVE-2024-23897 | POC详情 |
| 15 | PoC for CVE-2024-23897 | https://github.com/AbraXa5/Jenkins-CVE-2024-23897 | POC详情 |
| 16 | on this git you can find all information on the CVE-2024-23897 | https://github.com/iota4/PoC-Fix-jenkins-rce_CVE-2024-23897 | POC详情 |
| 17 | CVE-2024-23897 jenkins arbitrary file read which leads to unauthenticated RCE | https://github.com/brijne/CVE-2024-23897-RCE | POC详情 |
| 18 | None | https://github.com/WLXQqwer/Jenkins-CVE-2024-23897- | POC详情 |
| 19 | Nuclei template for CVE-2024-23897 (Jenkins LFI Vulnerability) | https://github.com/kaanatmacaa/CVE-2024-23897 | POC详情 |
| 20 | Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system. | https://github.com/Praison001/CVE-2024-23897-Jenkins-Arbitrary-Read-File-Vulnerability | POC详情 |
| 21 | on this git you can find all information on the CVE-2024-23897 | https://github.com/10T4/PoC-Fix-jenkins-rce_CVE-2024-23897 | POC详情 |
| 22 | CVE-2024-23897 | https://github.com/B4CK4TT4CK/CVE-2024-23897 | POC详情 |
| 23 | None | https://github.com/abdomagdy0/CVE-2024-23897-htb | POC详情 |
| 24 | POC for CVE-2024-23897 Jenkins File-Read | https://github.com/godylockz/CVE-2024-23897 | POC详情 |
| 25 | Jenkins Arbitrary File Leak Vulnerability [CVE-2024-23897] | https://github.com/ifconfig-me/CVE-2024-23897 | POC详情 |
| 26 | Perform with massive Jenkins Reading-2-RCE | https://github.com/ThatNotEasy/CVE-2024-23897 | POC详情 |
| 27 | Un script realizado en python para atumatizar la vulnerabilidad CVE-2024-23897 | https://github.com/pulentoski/CVE-2024-23897-Arbitrary-file-read | POC详情 |
| 28 | Scraping tool to ennumerate directories or files with the CVE-2024-23897 vulnerability in Jenkins. | https://github.com/Nebian/CVE-2024-23897 | POC详情 |
| 29 | This is an exploit script for CVE-2024-23897, a vulnerability affecting certain systems. The script is intended for educational and testing purposes only. Ensure that you have the necessary permissions before using it. | https://github.com/Abo5/CVE-2024-23897 | POC详情 |
| 30 | None | https://github.com/TheRedDevil1/CVE-2024-23897 | POC详情 |
| 31 | Jenkins CVE-2024-23897: Arbitrary File Read Vulnerability | https://github.com/Athulya666/CVE-2024-23897 | POC详情 |
| 32 | [CVE-2024-23897] Jenkins CI Authenticated Arbitrary File Read Through the CLI Leads to Remote Code Execution (RCE) | https://github.com/murataydemir/CVE-2024-23897 | POC详情 |
| 33 | None | https://github.com/mil4ne/CVE-2024-23897-Jenkins-4.441 | POC详情 |
| 34 | Poc para explotar la vulnerabilidad CVE-2024-23897 en versiones 2.441 y anteriores de Jenkins, mediante la cual podremos leer archivos internos del sistema sin estar autenticados | https://github.com/Maalfer/CVE-2024-23897 | POC详情 |
| 35 | Un exploit con el que puedes aprovecharte de la vulnerabilidad (CVE-2024-23897) | https://github.com/Surko888/Surko-Exploit-Jenkins-CVE-2024-23897 | POC详情 |
| 36 | CVE-2024-23897 jenkins-cli | https://github.com/3yujw7njai/CVE-2024-23897 | POC详情 |
| 37 | None | https://github.com/AnastasiaStill/CVE-2024-23897 | POC详情 |
| 38 | Reproduce CVE-2024–23897 | https://github.com/NoSpaceAvailable/CVE-2024-23897 | POC详情 |
| 39 | Jenkins CVE-2024-23897: Arbitrary File Read Vulnerability | https://github.com/JAthulya/CVE-2024-23897 | POC详情 |
| 40 | exploit diseñado para aprovechar una vulnerabilidad crítica en Jenkins versiones <= 2.441. La vulnerabilidad, CVE-2024-23897, permite la lectura arbitraria de archivos a través del CLI de Jenkins, lo que puede llevar a la exposición de información sensible o incluso a la ejecución remota de código (RCE) bajo ciertas circunstancias. | https://github.com/BinaryGoodBoy0101/Jenkins-Exploit-CVE-2024-23897-Fsociety | POC详情 |
| 41 | CVE-2024-23897 분석 | https://github.com/ShieldAuth-PHP/PBL05-CVE-Analsys | POC详情 |
| 42 | Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system. | https://github.com/r0xdeadbeef/CVE-2024-23897 | POC详情 |
| 43 | None | https://github.com/fullaw4ke/CVE-2024-23897-Jenkins-4.441 | POC详情 |
| 44 | POC - Jenkins File Read Vulnerability - CVE-2024-23897 | https://github.com/verylazytech/CVE-2024-23897 | POC详情 |
| 45 | CVE-2024-23897 exploit script | https://github.com/cc3305/CVE-2024-23897 | POC详情 |
| 46 | CVE-2024-23897是一个影响Jenkins的严重安全漏洞 | https://github.com/zgimszhd61/CVE-2024-23897-poc | POC详情 |
| 47 | Jenkins CVE-2024-23897: Arbitrary File Read Vulnerability Leading to RCE | https://github.com/safeer-accuknox/Jenkins-Args4j-CVE-2024-23897-POC | POC详情 |
| 48 | None | https://github.com/D1se0/CVE-2024-23897-Vulnerabilidad-Jenkins | POC详情 |
| 49 | Jenkins CVE-2024-23897 POC : Arbitrary File Read Vulnerability Leading to RCE | https://github.com/Marouane133/jenkins-lfi | POC详情 |
| 50 | CVE-2024-23897 jenkins-cli | https://github.com/AiK1d/CVE-2024-23897 | POC详情 |
| 51 | Jenkins RCE Arbitrary File Read CVE-2024-23897 | https://github.com/slytechroot/CVE-2024-23897 | POC详情 |
| 52 | None | https://github.com/brandonhjh/Jenkins-CVE-2024-23897-Exploit-Demo | POC详情 |
| 53 | Jenkins CLI arbitrary read (CVE-2024-23897 applies to versions below 2.442 and LTS 2.426.3) | https://github.com/tvasari/CVE-2024-23897 | POC详情 |
| 54 | Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system. | https://github.com/projectdiscovery/nuclei-templates/blob/main/javascript/cves/2024/CVE-2024-23897.yaml | POC详情 |
| 55 | None | https://github.com/Threekiii/Awesome-POC/blob/master/%E4%B8%AD%E9%97%B4%E4%BB%B6%E6%BC%8F%E6%B4%9E/Jenkins%20CLI%20%E6%8E%A5%E5%8F%A3%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E%20CVE-2024-23897.md | POC详情 |
| 56 | https://github.com/vulhub/vulhub/blob/master/jenkins/CVE-2024-23897/README.md | POC详情 | |
| 57 | None | https://github.com/Fineken/Jenkins-CVE-2024-23897-Lab | POC详情 |
| 58 | None | https://github.com/revkami/CVE-2024-23897-Jenkins-4.441 | POC详情 |
| 59 | Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system. | https://github.com/r0xDB/CVE-2024-23897 | POC详情 |
| 60 | Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system. | https://github.com/R0XDEADBEEF/CVE-2024-23897 | POC详情 |
| 61 | CVE-2024-23897 jenkins-cli | https://github.com/P4x1s/CVE-2024-23897 | POC详情 |
| 62 | Jenkins CLI arbitrary file read (CVE-2024-23897) | https://github.com/amalpvatayam67/day03-jenkins-23897 | POC详情 |
| 63 | None | https://github.com/hybinn/CVE-2024-23897 | POC详情 |
| 64 | None | https://github.com/aadi0258/Exploit-CVE-2024-23897 | POC详情 |
| 65 | None | https://github.com/harekrishnarai/CVE-2024-23897-test-windows | POC详情 |
暂无评论