CVE 2024 23897 jenkins cli

[Prajwal5755]

Proposed change

Your PR description goes here:
Added detection module for CVE-2024-23897 (Jenkins CLI Arbitrary File Read)
This PR adds a new module to detect CVE-2024-23897 in Jenkins.

The vulnerability is caused by improper handling of the @file syntax in the Jenkins CLI, allowing arbitrary file reads. The module sends a crafted POST request to the /cli endpoint with the payload help @/etc/passwd and checks for indicators such as root:x:0: in the response.

The module was tested locally using a simulated vulnerable environment to validate detection.

Type of change

• New core framework functionality
• Bugfix (non-breaking change that fixes an issue)
• Code refactoring without any functionality changes
• New or existing module/payload change
• Documentation/localization improvement
• Test coverage improvement
• Dependency upgrade
• Other improvement (best practice, cleanup, optimization, etc)

Checklist

• I've followed the contributing guidelines
• I've digitally signed all my commits in this PR
• I've run make pre-commit and confirm it didn't generate any warnings/changes
• I've run make test and I confirm all tests passed locally
• I've added/updated any relevant documentation in the docs/ folder
• I've linked this PR with an open issue
• I've tested and verified that my code works as intended and resolves the issue as described
• I've attached screenshots demonstrating that my code works as intended (if applicable)
• I've checked all other open PRs to avoid submitting duplicate work
• I confirm that the code and comments in this PR are not direct unreviewed outputs of AI
• I confirm that I am the Sole Responsible Author for every line of code, comment, and design decision

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: d4658f0e-f650-45fa-a19f-a0044e13eda2

📥 Commits

Reviewing files that changed from the base of the PR and between 569e175 and a3e93ba.

📒 Files selected for processing (1)

• nettacker/modules/vuln/jenkins_cve_2024_23897.yaml

✅ Files skipped from review due to trivial changes (1)

• nettacker/modules/vuln/jenkins_cve_2024_23897.yaml

---

Summary by CodeRabbit

• New Features
  • Added Jenkins CVE-2024-23897 vulnerability detection for identifying potentially vulnerable HTTP/HTTPS endpoints across standard ports (80, 443, 8080, 8443).

Walkthrough

Adds a new YAML vulnerability detection rule that scans Jenkins /cli endpoints by POSTing help @/etc/passwd`` over common HTTP/HTTPS ports and flags CVE-2024-23897 when a 200 response contains /etc/passwd-like entries.

Changes

Cohort / File(s)	Summary
New Jenkins Vulnerability Detection Rule nettacker/modules/vuln/jenkins_cve_2024_23897.yaml	Adds a vuln rule jenkins_cve_2024_23897_vuln that tries HTTP/HTTPS POSTs to /cli on ports 80/443/8080/8443 with help @/etc/passwd`` body, checks for HTTP 200 and regex `(root:x:0

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

new module

Suggested reviewers

• arkid15r
• securestep9

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title is partially related to the changeset. It mentions CVE-2024-23897 and Jenkins CLI, but lacks concise clarity and uses abbreviated formatting ('CVE 2024 23897') that reduces readability.	Refine the title to be more concise and descriptive, e.g., 'Add Jenkins CLI arbitrary file read (CVE-2024-23897) detection' or 'Detect Jenkins CVE-2024-23897 vulnerability'.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description check	✅ Passed	The description is well-related to the changeset, providing clear context about the vulnerability, detection approach, and testing performed.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

nettacker/modules/vuln/jenkins_cve_2024_23897.yaml (1)

42-54: Linux-only file probe can miss vulnerable Windows Jenkins instances.

Using only help @/etc/passwd`` limits detection coverage. Consider adding a second probe (e.g., @C:\Windows\win.ini) so vulnerable Windows deployments are also detected.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@nettacker/modules/vuln/jenkins_cve_2024_23897.yaml` around lines 42 - 54, The
probe currently sends "help `@/etc/passwd`" which only detects Linux Jenkins;
update the vulnerability probe in jenkins_cve_2024_23897.yaml to also test a
Windows-specific file (e.g., send a second probe with "help `@C`:\Windows\win.ini"
or include both payloads) and adjust the response matching logic (the
`response.conditions.content.regex` or add a separate response entry) to accept
either Linux indicators ("root:x:0|daemon:x:1") or Windows indicators from
win.ini so Windows instances are detected as well.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@nettacker/modules/vuln/jenkins_cve_2024_23897.yaml`:
- Around line 17-22: The HTTP step that currently shows method: post with
headers.User-Agent and Content-Type needs an explicit ssl field to avoid
ambiguous transport—add ssl: true (or ssl: false if this target is known
plaintext) directly under the step alongside timeout, and ensure the rule's info
block includes a reference: entry (e.g., info.reference: "CVE-2024-23897" or a
vendor advisory) so the file jenkins_cve_2024_23897.yaml contains
headers.User-Agent: "{user_agent}", an explicit ssl setting, and an
info.reference value.

---

Nitpick comments:
In `@nettacker/modules/vuln/jenkins_cve_2024_23897.yaml`:
- Around line 42-54: The probe currently sends "help `@/etc/passwd`" which only
detects Linux Jenkins; update the vulnerability probe in
jenkins_cve_2024_23897.yaml to also test a Windows-specific file (e.g., send a
second probe with "help `@C`:\Windows\win.ini" or include both payloads) and
adjust the response matching logic (the `response.conditions.content.regex` or
add a separate response entry) to accept either Linux indicators
("root:x:0|daemon:x:1") or Windows indicators from win.ini so Windows instances
are detected as well.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: fdf99cf9-ec0c-4f4a-bd87-89a6913a46e2

📥 Commits

Reviewing files that changed from the base of the PR and between 06c9bdf and 569e175.

📒 Files selected for processing (1)

• nettacker/modules/vuln/jenkins_cve_2024_23897.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Add explicit ssl on the HTTP step.

Line 17–22 defines the HTTP step without an explicit ssl field. Please set it explicitly to avoid ambiguous transport behavior across targets.

Suggested patch

       - method: post
         timeout: 3
+        ssl: false
         headers:
           User-Agent: "{user_agent}"
           Content-Type: "text/plain"

Based on learnings: “Every HTTP step must include headers.User-Agent: "{user_agent}", ssl:, and the info block must include reference:.”

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@nettacker/modules/vuln/jenkins_cve_2024_23897.yaml` around lines 17 - 22, The
HTTP step that currently shows method: post with headers.User-Agent and
Content-Type needs an explicit ssl field to avoid ambiguous transport—add ssl:
true (or ssl: false if this target is known plaintext) directly under the step
alongside timeout, and ensure the rule's info block includes a reference: entry
(e.g., info.reference: "CVE-2024-23897" or a vendor advisory) so the file
jenkins_cve_2024_23897.yaml contains headers.User-Agent: "{user_agent}", an
explicit ssl setting, and an info.reference value.