To resolve the issue with stages in Jenkins related to the CVE-2024-23897 (Arbitrary File Read Vulnerability), you should update Jenkins to version 2.441 or later, or LTS 2.426.3 or later. This update disables a feature of the CLI command parser that allows unauthenticated attackers to read arbitrary files on the Jenkins controller file system. Additionally, you can follow the security advisory provided by Jenkins to ensure your system is secure and protected against this vulnerability.
would have to look in more detail into what jenkins stores where on windows. would probably be worth spinning up a Windows VM and installing jenkins to check it out.
Fiddled about with it and noticed that, if I set up the commands on a different file descriptor (i. e. 3) then the while read (-u 3) loop runs just fine. Haven't looked at the source for the cli yet, but maybe it somehow messes with stdin?
![[Build Custom Multi-Agent Systems Step-By-Step: Introduction to AgentRearrange] 🤖⎆🤖](http://i.ytimg.com/vi/Rq8wWQ073mg/mqdefault.jpg)
![[Build Custom Multi-Agent Systems Step-By-Step: Introduction to AgentRearrange] 🤖⎆🤖](/img/tr.png)
Good explanation! I like how you actually tried to understand what was going on instead of skirting over a bunch of stuff like other youtubers do!
Interesting approach to this vuln, nice video showcasing. Thx.
Thanks for the explanation. All the best with understanding the bash xD
Great vid. Thank. you, 0xdf!
Great explanation Thanks for sharing
To resolve the issue with stages in Jenkins related to the CVE-2024-23897 (Arbitrary File Read Vulnerability), you should update Jenkins to version 2.441 or later, or LTS 2.426.3 or later. This update disables a feature of the CLI command parser that allows unauthenticated attackers to read arbitrary files on the Jenkins controller file system. Additionally, you can follow the security advisory provided by Jenkins to ensure your system is secure and protected against this vulnerability.
It would be nice if you can put that bash file on a github repo!
What if the target server is Windows? What file do we need to search to obtain sensitive information?
would have to look in more detail into what jenkins stores where on windows. would probably be worth spinning up a Windows VM and installing jenkins to check it out.
@@0xdf I really search well but I didn't found any CVE or github report for windows. Yeah I should try installing jenkins on VM, thanks
Thanx man
Nice video, but I have no clue about the bash loop 😂😅.
But great approach❤.
Fiddled about with it and noticed that, if I set up the commands on a different file descriptor (i. e. 3) then the while read (-u 3) loop runs just fine.
Haven't looked at the source for the cli yet, but maybe it somehow messes with stdin?
howdy hoaxbeef