Closed W0ngL1 closed 8 months ago
Hi @W0ngL1,
Thanks for your request! This vulnerability is in scope for the reward program. Please submit our participation form and you can start working on the development.
Please keep in mind that the Tsunami Scanner Team will only be able to work at one issue at a time for each participant so please hold on the implementation work for any other requests you might have.
Thanks!
@tooryx Thanks, I'm working on it.
Hi @W0ngL1,
Your PR has been merged. This usually means a reward will be granted. Google will start the internal QC process and the reward amount will be determined based on the quality of the detector report. Please be patient and allow up to a week for the QC process to finish. You'll be notified once the decision is made.
Thanks!
Thanks @tooryx. Copy that.
Hi @tooryx, ten days have passed, but I haven't received any emails from p2p-vrp yet.
Hi @W0ngL1,
We are still reviewing that submission. I expect to discuss this issue with the rest of the panel today, so you should receive a message by the end of week.
~tooryx
Thanks @tooryx, copy that.
Hi @W0ngL1,
The panel has decided on the reward. You should receive a message soon on the ticket opened on bughunters.google. Thank you for your contribution!
~tooryx
Hi @W0ngL1,
I completely forgot but can you also please upload the vulnerable docker image to https://github.com/google/security-testbeds? That means creating a directory in https://github.com/google/security-testbeds/tree/main/jenkins with the vulnerability identifier and adding the instruction for the vulnerable instance.
Thank you! ~tooryx
Thanks @tooryx, I've received the email. And I'll upload images recently.
Hi @tooryx, I've created a PR. https://github.com/google/security-testbeds/pull/26
Hi there.
I would like to start implementing a plugin to detect Jenkins Arbitrary File Read (CVE-2024-23897).
Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-23897 https://www.jenkins.io/security/advisory/2024-01-24/
Description: Jenkins uses the args4j library to parse command arguments and options on the Jenkins controller when processing CLI commands. This command parser has a feature that replaces an @ character followed by a file path in an argument with the file’s contents (expandAtFiles). This feature is enabled by default and Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable it. This allows attackers to read arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process.
Versions: Jenkins weekly <= 2.441 Jenkins LTS <= 2.426.2
Thanks.