Free

CVE Series: Jenkins Arbitrary File Leak Vulnerability (CVE-2024-23897)

CVE-2024-23897 is a critical security flaw affecting Jenkins, a Java-based open-source automation server widely used for application building, testing, and deployment. It allows unauthorized access to files through the Jenkins integrated command line interface (CLI), potentially leading to remote code execution (RCE).

1
5
M
Time
Intermediate
difficulty
1
ceu/cpe

Course Content

Exploiting the vulnerability

10m

CVE-2024-23897 Exploitation
Introduction to Jenkins FREE

5m

Introduction to Jenkins
Exploiting CVE-2024-23897

30m

CVE-2024-23897 Exploitation
Course Description

CVE-2024-23897 is a critical security flaw affecting Jenkins, a Java-based open-source automation server widely used for application building, testing, and deployment. It allows unauthorized access to files through the Jenkins integrated command line interface (CLI), potentially leading to remote code execution (RCE). The vulnerability, with a CVSS score of 9.8, affects Jenkins versions up to 2.441 and LTS versions up to 2.426.2. It stems from the use of the args4j library, which can replace a file path preceded by an "@" character with the file's contents. This can be exploited to read any file on the Jenkins controller file system. In this course you’ll be exploiting and mitigating this critical CVE.

Target Audience

This course is for seasoned red teamers, penetration testers, security and vulnerability assessment analysts, developers, and system administrators who want to know how to exploit and protect against the latest vulnerabilities impacting enterprise systems.

Course Level

Intermediate

Prerequisites

Basic knowledge of the Linux command line, networking, and Python."

Helpful Links

  • CVE Entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23897 (Official CVE)
  • NIST Entry: https://nvd.nist.gov/vuln/detail/CVE-2024-23897
  • Security Advisory: https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314
  • Sonar Blog: https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/
  • Zscaler Blog: https://www.zscaler.com/blogs/security-research/jenkins-arbitrary-file-leak-vulnerability-cve-2024-23897-can-lead-rce
  • Horizon3.ai Blog: https://www.horizon3.ai/attack-research/red-team/cve-2024-23897-assessing-the-impact-of-the-jenkins-arbitrary-file-leak-vulnerability/
  • Exploits: https://packetstormsecurity.com/files/176840/Jenkins-2.441-LTS-2.426.3-Arbitrary-File-Read.html https://github.com/godylockz/CVE-2024-23897
  • YouTube Video with 0xdf on exploitation: https://www.youtube.com/watch?v=toPJhfy-wvw
  • This course is part of a Career Path:
    No items found.

    Instructed by

    Senior Instructor
    Clint Kehr

    Clint is a technical manager for a financial services company’s Responsible Disclosure Team, where he interacts with ethical hackers who find vulnerabilities in the company’s infrastructure. Clint is a former Special Agent with the Department of Justice where he specialized in internet investigations and conducted numerous cases on cyber threat actors on the surface, deep, and dark web, resulting in Clint earning the Attorney General’s Distinguished Service Award. Clint has trained over 1,000 law enforcement officers, prosecutors, and civilians on the dark web and dark market websites. Clint has a master’s degree in intelligence studies from American Military University where he graduated with honors and also has a master’s degree in Information Technology from Carnegie Mellon University where he graduated with highest distinction. As a former Navy Reserve Officer, Clint served in many roles, such as a division officer and department head for commands in the information warfare community.

    Provider
    Cybrary Logo
    Certification Body
    Certificate of Completion

    Complete this entire course to earn a CVE Series: Jenkins Arbitrary File Leak Vulnerability (CVE-2024-23897) Certificate of Completion