Playing with Jenkins File Read [CVE-2024-23897] 

Good explanation! I like how you actually tried to understand what was going on instead of skirting over a bunch of stuff like other youtubers do!

Interesting approach to this vuln, nice video showcasing. Thx.

Thanks for the explanation. All the best with understanding the bash xD

Great vid. Thank. you, 0xdf!

Great explanation Thanks for sharing

Nice video, but I have no clue about the bash loop 😂😅. But great approach❤.

To resolve the issue with stages in Jenkins related to the CVE-2024-23897 (Arbitrary File Read Vulnerability), you should update Jenkins to version 2.441 or later, or LTS 2.426.3 or later. This update disables a feature of the CLI command parser that allows unauthenticated attackers to read arbitrary files on the Jenkins controller file system. Additionally, you can follow the security advisory provided by Jenkins to ensure your system is secure and protected against this vulnerability.

It would be nice if you can put that bash file on a github repo!

Thanx man

Fiddled about with it and noticed that, if I set up the commands on a different file descriptor (i. e. 3) then the while read (-u 3) loop runs just fine. Haven't looked at the source for the cli yet, but maybe it somehow messes with stdin?

What if the target server is Windows? What file do we need to search to obtain sensitive information?

howdy hoaxbeef