CVE 2024 23897 jenkins cli

[Prajwal5755]

Proposed change

Your PR description goes here:
Added detection module for CVE-2024-23897 (Jenkins CLI Arbitrary File Read)
This PR adds a new module to detect CVE-2024-23897 in Jenkins.

The vulnerability is caused by improper handling of the @file syntax in the Jenkins CLI, allowing arbitrary file reads. The module sends a crafted POST request to the /cli endpoint with the payload help @/etc/passwd and checks for indicators such as root:x:0: in the response.

The module was tested locally using a simulated vulnerable environment to validate detection.

Type of change

• New core framework functionality
• Bugfix (non-breaking change that fixes an issue)
• Code refactoring without any functionality changes
• New or existing module/payload change
• Documentation/localization improvement
• Test coverage improvement
• Dependency upgrade
• Other improvement (best practice, cleanup, optimization, etc)

Checklist

• I've followed the contributing guidelines
• I've digitally signed all my commits in this PR
• I've run make pre-commit and confirm it didn't generate any warnings/changes
• I've run make test and I confirm all tests passed locally
• I've added/updated any relevant documentation in the docs/ folder
• I've linked this PR with an open issue
• I've tested and verified that my code works as intended and resolves the issue as described
• I've attached screenshots demonstrating that my code works as intended (if applicable)
• I've checked all other open PRs to avoid submitting duplicate work
• I confirm that the code and comments in this PR are not direct unreviewed outputs of AI
• I confirm that I am the Sole Responsible Author for every line of code, comment, and design decision

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: df56c2a2-22b9-4d4f-bcd7-3cce43d5c3d2

📥 Commits

Reviewing files that changed from the base of the PR and between ef10f0d and 9b26696.

📒 Files selected for processing (1)

• docs/Modules.md

✅ Files skipped from review due to trivial changes (1)

• docs/Modules.md

---

Summary by CodeRabbit

• New Features

  • Added Jenkins CVE-2024-23897 detection for HTTP/HTTPS endpoints (standard ports) targeting the CLI interface; confirms findings by checking response status and passwd-like content to reduce false positives.
  • Includes severity (7.5) and an external advisory reference; enabled for vulnerability and Jenkins scanning profiles.

• Documentation

  • Added module documentation describing the new Jenkins vulnerability check.

Walkthrough

Adds a new YAML vulnerability rule that detects Jenkins CVE-2024-23897 by POSTing help @/etc/passwd`` to /cli over common HTTP/HTTPS ports and confirming responses with status 200 and `/etc/passwd`-like content.

Changes

Cohort / File(s)	Summary
New Jenkins Vulnerability Detection Rule nettacker/modules/vuln/jenkins_cve_2024_23897.yaml	Adds jenkins_cve_2024_23897_vuln rule: builds URLs for http/https on ports 80,443,8080,8443 targeting /cli, sends POST with Content-Type: text/plain and body help @/etc/passwd``, and flags positive when status matches 200 and body matches `(root:x:0
Documentation docs/Modules.md	Adds a line documenting the new jenkins_cve_2024_23897_vuln module and its detection purpose.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

new module

Suggested reviewers

• arkid15r
• securestep9

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'CVE 2024 23897 jenkins cli' references the specific CVE and Jenkins vulnerability being added, matching the main changeset which introduces a detection module for this exact vulnerability.
Description check	✅ Passed	The description provides relevant context about CVE-2024-23897 detection in Jenkins, explaining the vulnerability mechanics, detection approach, and testing methodology—all directly related to the module addition.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

nettacker/modules/vuln/jenkins_cve_2024_23897.yaml (1)

42-54: Linux-only file probe can miss vulnerable Windows Jenkins instances.

Using only help @/etc/passwd`` limits detection coverage. Consider adding a second probe (e.g., @C:\Windows\win.ini) so vulnerable Windows deployments are also detected.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@nettacker/modules/vuln/jenkins_cve_2024_23897.yaml` around lines 42 - 54, The
probe currently sends "help `@/etc/passwd`" which only detects Linux Jenkins;
update the vulnerability probe in jenkins_cve_2024_23897.yaml to also test a
Windows-specific file (e.g., send a second probe with "help `@C`:\Windows\win.ini"
or include both payloads) and adjust the response matching logic (the
`response.conditions.content.regex` or add a separate response entry) to accept
either Linux indicators ("root:x:0|daemon:x:1") or Windows indicators from
win.ini so Windows instances are detected as well.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@nettacker/modules/vuln/jenkins_cve_2024_23897.yaml`:
- Around line 17-22: The HTTP step that currently shows method: post with
headers.User-Agent and Content-Type needs an explicit ssl field to avoid
ambiguous transport—add ssl: true (or ssl: false if this target is known
plaintext) directly under the step alongside timeout, and ensure the rule's info
block includes a reference: entry (e.g., info.reference: "CVE-2024-23897" or a
vendor advisory) so the file jenkins_cve_2024_23897.yaml contains
headers.User-Agent: "{user_agent}", an explicit ssl setting, and an
info.reference value.

---

Nitpick comments:
In `@nettacker/modules/vuln/jenkins_cve_2024_23897.yaml`:
- Around line 42-54: The probe currently sends "help `@/etc/passwd`" which only
detects Linux Jenkins; update the vulnerability probe in
jenkins_cve_2024_23897.yaml to also test a Windows-specific file (e.g., send a
second probe with "help `@C`:\Windows\win.ini" or include both payloads) and
adjust the response matching logic (the `response.conditions.content.regex` or
add a separate response entry) to accept either Linux indicators
("root:x:0|daemon:x:1") or Windows indicators from win.ini so Windows instances
are detected as well.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: fdf99cf9-ec0c-4f4a-bd87-89a6913a46e2

📥 Commits

Reviewing files that changed from the base of the PR and between 06c9bdf and 569e175.

📒 Files selected for processing (1)

• nettacker/modules/vuln/jenkins_cve_2024_23897.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Add explicit ssl on the HTTP step.

Line 17–22 defines the HTTP step without an explicit ssl field. Please set it explicitly to avoid ambiguous transport behavior across targets.

Suggested patch

       - method: post
         timeout: 3
+        ssl: false
         headers:
           User-Agent: "{user_agent}"
           Content-Type: "text/plain"

Based on learnings: “Every HTTP step must include headers.User-Agent: "{user_agent}", ssl:, and the info block must include reference:.”

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@nettacker/modules/vuln/jenkins_cve_2024_23897.yaml` around lines 17 - 22, The
HTTP step that currently shows method: post with headers.User-Agent and
Content-Type needs an explicit ssl field to avoid ambiguous transport—add ssl:
true (or ssl: false if this target is known plaintext) directly under the step
alongside timeout, and ensure the rule's info block includes a reference: entry
(e.g., info.reference: "CVE-2024-23897" or a vendor advisory) so the file
jenkins_cve_2024_23897.yaml contains headers.User-Agent: "{user_agent}", an
explicit ssl setting, and an info.reference value.

[securestep9]

@Prajwal5755 you should add: https://www.cisa.gov/news-events/alerts/2024/08/19/cisa-adds-one-known-exploited-vulnerability-catalog

[Prajwal5755]

Thank you for the guidance @securestep9. I have added the missing profiles and updated the module accordingly.

[securestep9]

@Prajwal5755 high_severity and cisa_kev profiles missing. Please study existing Nettacker modules to understand which profiles you need

[Prajwal5755]

Thank you for the guidance @securestep9. I have added the missing profiles and updated this module. I will also update my other modules accordingly.

[securestep9]

no need to log anything - Nettacker vuln modules will automatically log 'Detected' against this module

[Prajwal5755]

Thank you for guidance @securestep9 , I have removed log now

[securestep9]

@Prajwal5755 also please remember to update the documentation and add this module to Modules.md

[Prajwal5755]

Hi @securestep9, I couldn’t find Modules.md in the repository. Could you please confirm the correct location where I should add this module? or should i need to create file Modules.md?

[Prajwal5755]

And also I have updated profiles , log and regex in other modules accordingly including pr 1414 and 1437

[securestep9]

Hi @securestep9, I couldn’t find Modules.md in the repository. Could you please confirm the correct location where I should add this module? or should i need to create file Modules.md?

Documentation is under docs/ !

[Prajwal5755]

Hi @securestep9, I’ve added the module entry to Modules.md and updated the documentation as suggested. Thanks for pointing me to the correct location. Please let me know if anything else needs improvement.

[Prajwal5755]

Hi @securestep9, I’ve addressed all the requested changes including documentation and Modules.md updates. Could you please review it again when you have time?