一、 漏洞 CVE-2024-23897 基础信息
漏洞信息
                                        # N/A

## 漏洞概述
Jenkins 2.441 及更早版本和 LTS 2.426.2 及更早版本中的 CLI 命令解析器未禁用一个特性,该特性会用文件内容替换命令参数中的 '@' 符号后面跟随的文件路径,这允许未经身份验证的攻击者读取 Jenkins 控制器文件系统上的任意文件。

## 影响版本
- Jenkins 2.441 及更早版本
- LTS 2.426.2 及更早版本

## 漏洞细节
漏洞源于 CLI 命令解析器中未禁用的一个特性,该特性会将命令参数中以 '@' 符号开头并跟随文件路径的内容替换为该文件的实际内容。攻击者可以利用这一点,插入恶意参数导致解析器读取并泄露任意文件。

## 影响
- 允许未经身份验证的远程攻击者读取 Jenkins 控制器文件系统上的任意文件。
- 可能导致敏感信息泄露。
提示
尽管我们采用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。
神龙会尽力确保数据准确,但也请结合实际情况进行甄别与判断。
神龙祝您一切顺利!
漏洞标题
N/A
来源:美国国家漏洞数据库 NVD
漏洞描述信息
Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.
来源:美国国家漏洞数据库 NVD
CVSS信息
N/A
来源:美国国家漏洞数据库 NVD
漏洞类别
N/A
来源:美国国家漏洞数据库 NVD
漏洞标题
Jenkins 安全漏洞
来源:中国国家信息安全漏洞库 CNNVD
漏洞描述信息
Jenkins是Jenkins开源的一个应用软件。一个开源自动化服务器Jenkins提供了数百个插件来支持构建,部署和自动化任何项目。 Jenkins 2.441及之前版本、LTS 2.426.2及之前版本存在安全漏洞,该漏洞源于允许未经身份验证的攻击者读取Jenkins控制器文件系统。
来源:中国国家信息安全漏洞库 CNNVD
CVSS信息
N/A
来源:中国国家信息安全漏洞库 CNNVD
漏洞类别
其他
来源:中国国家信息安全漏洞库 CNNVD
二、漏洞 CVE-2024-23897 的公开POC
# POC 描述 源链接 神龙链接
1 Workaround for disabling the CLI to mitigate SECURITY-3314/CVE-2024-23897 and SECURITY-3315/CVE-2024-23898 https://github.com/jenkinsci-cert/SECURITY-3314-3315 POC详情
2 CVE-2024-23897 (CVSS 9.8): Critical Jenkins Security Vulnerability, RCE POC https://github.com/forsaken0127/CVE-2024-23897 POC详情
3 None https://github.com/binganao/CVE-2024-23897 POC详情
4 CVE-2024-23897 https://github.com/h4x0r-dz/CVE-2024-23897 POC详情
5 CVE-2024-23897 | Jenkins <= 2.441 & <= LTS 2.426.2 PoC and scanner. https://github.com/xaitax/CVE-2024-23897 POC详情
6 None https://github.com/vmtyan/poc-cve-2024-23897 POC详情
7 Scanner for CVE-2024-23897 - Jenkins https://github.com/yoryio/CVE-2024-23897 POC详情
8 CVE-2024-23897 jenkins-cli https://github.com/CKevens/CVE-2024-23897 POC详情
9 on this git you can find all information on the CVE-2024-23897 https://github.com/iota4/PoC-jenkins-rce_CVE-2024-23897 POC详情
10 CVE-2024-23897 - Jenkins 任意文件读取 利用工具 https://github.com/wjlin0/CVE-2024-23897 POC详情
11 This repository presents a proof-of-concept of CVE-2024-23897 https://github.com/Vozec/CVE-2024-23897 POC详情
12 Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system. https://github.com/raheel0x01/CVE-2024-23897 POC详情
13 Jenkins POC of Arbitrary file read vulnerability through the CLI can lead to RCE https://github.com/viszsec/CVE-2024-23897 POC详情
14 None https://github.com/jopraveen/CVE-2024-23897 POC详情
15 PoC for CVE-2024-23897 https://github.com/AbraXa5/Jenkins-CVE-2024-23897 POC详情
16 on this git you can find all information on the CVE-2024-23897 https://github.com/iota4/PoC-Fix-jenkins-rce_CVE-2024-23897 POC详情
17 CVE-2024-23897 jenkins arbitrary file read which leads to unauthenticated RCE https://github.com/brijne/CVE-2024-23897-RCE POC详情
18 None https://github.com/WLXQqwer/Jenkins-CVE-2024-23897- POC详情
19 Nuclei template for CVE-2024-23897 (Jenkins LFI Vulnerability) https://github.com/kaanatmacaa/CVE-2024-23897 POC详情
20 Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system. https://github.com/Praison001/CVE-2024-23897-Jenkins-Arbitrary-Read-File-Vulnerability POC详情
21 on this git you can find all information on the CVE-2024-23897 https://github.com/10T4/PoC-Fix-jenkins-rce_CVE-2024-23897 POC详情
22 CVE-2024-23897 https://github.com/B4CK4TT4CK/CVE-2024-23897 POC详情
23 None https://github.com/abdomagdy0/CVE-2024-23897-htb POC详情
24 POC for CVE-2024-23897 Jenkins File-Read https://github.com/godylockz/CVE-2024-23897 POC详情
25 Jenkins Arbitrary File Leak Vulnerability [CVE-2024-23897] https://github.com/ifconfig-me/CVE-2024-23897 POC详情
26 Perform with massive Jenkins Reading-2-RCE https://github.com/ThatNotEasy/CVE-2024-23897 POC详情
27 Un script realizado en python para atumatizar la vulnerabilidad CVE-2024-23897 https://github.com/pulentoski/CVE-2024-23897-Arbitrary-file-read POC详情
28 Scraping tool to ennumerate directories or files with the CVE-2024-23897 vulnerability in Jenkins. https://github.com/Nebian/CVE-2024-23897 POC详情
29 This is an exploit script for CVE-2024-23897, a vulnerability affecting certain systems. The script is intended for educational and testing purposes only. Ensure that you have the necessary permissions before using it. https://github.com/Abo5/CVE-2024-23897 POC详情
30 None https://github.com/TheRedDevil1/CVE-2024-23897 POC详情
31 Jenkins CVE-2024-23897: Arbitrary File Read Vulnerability https://github.com/Athulya666/CVE-2024-23897 POC详情
32 [CVE-2024-23897] Jenkins CI Authenticated Arbitrary File Read Through the CLI Leads to Remote Code Execution (RCE) https://github.com/murataydemir/CVE-2024-23897 POC详情
33 None https://github.com/mil4ne/CVE-2024-23897-Jenkins-4.441 POC详情
34 Poc para explotar la vulnerabilidad CVE-2024-23897 en versiones 2.441 y anteriores de Jenkins, mediante la cual podremos leer archivos internos del sistema sin estar autenticados https://github.com/Maalfer/CVE-2024-23897 POC详情
35 Un exploit con el que puedes aprovecharte de la vulnerabilidad (CVE-2024-23897) https://github.com/Surko888/Surko-Exploit-Jenkins-CVE-2024-23897 POC详情
36 CVE-2024-23897 jenkins-cli https://github.com/3yujw7njai/CVE-2024-23897 POC详情
37 None https://github.com/AnastasiaStill/CVE-2024-23897 POC详情
38 Reproduce CVE-2024–23897 https://github.com/NoSpaceAvailable/CVE-2024-23897 POC详情
39 Jenkins CVE-2024-23897: Arbitrary File Read Vulnerability https://github.com/JAthulya/CVE-2024-23897 POC详情
40 exploit diseñado para aprovechar una vulnerabilidad crítica en Jenkins versiones <= 2.441. La vulnerabilidad, CVE-2024-23897, permite la lectura arbitraria de archivos a través del CLI de Jenkins, lo que puede llevar a la exposición de información sensible o incluso a la ejecución remota de código (RCE) bajo ciertas circunstancias. https://github.com/BinaryGoodBoy0101/Jenkins-Exploit-CVE-2024-23897-Fsociety POC详情
41 CVE-2024-23897 분석 https://github.com/ShieldAuth-PHP/PBL05-CVE-Analsys POC详情
42 Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system. https://github.com/r0xdeadbeef/CVE-2024-23897 POC详情
43 None https://github.com/fullaw4ke/CVE-2024-23897-Jenkins-4.441 POC详情
44 POC - Jenkins File Read Vulnerability - CVE-2024-23897 https://github.com/verylazytech/CVE-2024-23897 POC详情
45 CVE-2024-23897 exploit script https://github.com/cc3305/CVE-2024-23897 POC详情
46 CVE-2024-23897是一个影响Jenkins的严重安全漏洞 https://github.com/zgimszhd61/CVE-2024-23897-poc POC详情
47 Jenkins CVE-2024-23897: Arbitrary File Read Vulnerability Leading to RCE https://github.com/safeer-accuknox/Jenkins-Args4j-CVE-2024-23897-POC POC详情
48 None https://github.com/D1se0/CVE-2024-23897-Vulnerabilidad-Jenkins POC详情
49 Jenkins CVE-2024-23897 POC : Arbitrary File Read Vulnerability Leading to RCE https://github.com/Marouane133/jenkins-lfi POC详情
50 CVE-2024-23897 jenkins-cli https://github.com/AiK1d/CVE-2024-23897 POC详情
51 Jenkins RCE Arbitrary File Read CVE-2024-23897 https://github.com/slytechroot/CVE-2024-23897 POC详情
52 None https://github.com/brandonhjh/Jenkins-CVE-2024-23897-Exploit-Demo POC详情
53 Jenkins CLI arbitrary read (CVE-2024-23897 applies to versions below 2.442 and LTS 2.426.3) https://github.com/tvasari/CVE-2024-23897 POC详情
54 Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system. https://github.com/projectdiscovery/nuclei-templates/blob/main/javascript/cves/2024/CVE-2024-23897.yaml POC详情
55 None https://github.com/Threekiii/Awesome-POC/blob/master/%E4%B8%AD%E9%97%B4%E4%BB%B6%E6%BC%8F%E6%B4%9E/Jenkins%20CLI%20%E6%8E%A5%E5%8F%A3%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E%20CVE-2024-23897.md POC详情
56 https://github.com/vulhub/vulhub/blob/master/jenkins/CVE-2024-23897/README.md POC详情
三、漏洞 CVE-2024-23897 的情报信息