Today we have a brand new set of labs related to CVE-2024-23897 (Jenkins Arbitrary File Read)
On January 24, 2024, Jenkins released their official advisory for several vulnerabilities, from WebSocket highjacking to arbitrary file reads.
This vulnerability leverages Jenkins' built-in CLI, used to access Jenkins' resources through a shell. It's possible to take advantage of how Jenkins parses command line arguments to read the contents of files. The amount of content that can be read is dependent on the attacker's authentication status.
Who are the labs for?
These labs are focused on upskilling an increasing the offensive capabilities of the following roles:
- Red Teamers
- Penetration Testers
- Internal Security Testers
What are the key takeaways?
- Outline the Jenkins arbitrary file read vulnerability
- Understand how attackers can leverage improper parsing of command line arguments to read sensitive data
Cyber Pro licensed users can access the new collection here.
Updated 7 months ago
Version 2.0
BenMcCarthy
Immerser
Immerser