automatic module_metadata_base.json update

Author: msjenkins-r7

db/modules_metadata_base.json

@@ -22561,6 +22561,74 @@
 
     ]
   },
+  "auxiliary_gather/jenkins_cli_ampersand_arbitrary_file_read": {
+    "name": "Jenkins cli Ampersand Replacement Arbitrary File Read",
+    "fullname": "auxiliary/gather/jenkins_cli_ampersand_arbitrary_file_read",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2024-01-24",
+    "type": "auxiliary",
+    "author": [
+      "h00die",
+      "Yaniv Nizry",
+      "binganao",
+      "h4x0r-dz",
+      "Vozec"
+    ],
+    "description": "This module utilizes the Jenkins cli protocol to run the `help` command.\n          The cli is accessible with read-only permissions by default, which are\n          all thats required.\n\n          Jenkins cli utilizes `args4j's` `parseArgument`, which calls `expandAtFiles` to\n          replace any `@<filename>` with the contents of a file. We are then able to retrieve\n          the error message to read up to the first two lines of a file.\n\n          Exploitation by hand can be done with the cli, see markdown documents for additional\n          instructions.\n\n          There are a few exploitation oddities:\n          1. The injection point for the `help` command requires 2 input arguments.\n          When the `expandAtFiles` is called, each line of the `FILE_PATH` becomes an input argument.\n          If a file only contains one line, it will throw an error: `ERROR: You must authenticate to access this Jenkins.`\n          However, we can pad out the content by supplying a first argument.\n          2. There is a strange timing requirement where the `download` (or first) request must get\n          to the server first, but the `upload` (or second) request must be very close behind it.\n          From testing against the docker image, it was found values between `.01` and `1.9` were\n          viable. Due to the round trip time of the first request and response happening before\n          request 2 would be received, it is necessary to use threading to ensure the requests\n          happen within rapid succession.\n\n          Files of value:\n          * /var/jenkins_home/secret.key\n          * /var/jenkins_home/secrets/master.key\n          * /var/jenkins_home/secrets/initialAdminPassword\n          * /etc/passwd\n          * /etc/shadow\n          * Project secrets and credentials\n          * Source code, build artifacts",
+    "references": [
+      "URL-https://www.jenkins.io/security/advisory/2024-01-24/",
+      "URL-https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/",
+      "URL-https://github.com/binganao/CVE-2024-23897",
+      "URL-https://github.com/h4x0r-dz/CVE-2024-23897",
+      "URL-https://github.com/Vozec/CVE-2024-23897",
+      "CVE-2024-23897"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 8080,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2024-03-28 15:54:58 +0000",
+    "path": "/modules/auxiliary/gather/jenkins_cli_ampersand_arbitrary_file_read.rb",
+    "is_install_path": true,
+    "ref_name": "gather/jenkins_cli_ampersand_arbitrary_file_read",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": [
+
+    ]
+  },
   "auxiliary_gather/jenkins_cred_recovery": {
     "name": "Jenkins Domain Credential Recovery",
     "fullname": "auxiliary/gather/jenkins_cred_recovery",