Index

Aug 22, 2024

The Jenkins bruteforce capabilities now correctly identify when Jenkins requires authentication. This release also includes 3 new modules, including two SQL injection modules for DIAEnergie and Fortra FileCatalyst, as well as a SPIP Unauthenticated RCE Exploit.

Fixed

Pro: Fixed login button visual regression.
Pro: Fixed an issue where the Jenkins login scanner incorrectly identified Jenkins as not requiring authentication.
Pro: Fixed an issue that could cause crashes after uploading a custom logo for reports.
PR 19366 - Update the Jenkins login scanner to correctly determine whether authentication is required.

Modules

PR 19351 - This adds an exploit module for CVE-2024-4548, an unauthenticated SQL Injection vulnerability able to achieve remote code execution as NT AUTHORITY\SYSTEM.
PR 19373 - This adds an auxiliary module to exploit the CVE-2024-5276 , a SQL Injection vulnerability that allows for adding an arbitrary administration user in the application.
PR 19394 - Adds a new exploit/multi/http/spip_porte_plume_previsu_rce SPIP Unauthenticated Remote Code Execution (RCE) module targeting SPIP versions up to and including 4.2.12.

Offline Update

https://updates.metasploit.com/packages/b9c2e18a486cd96a1b58c8f34ad79960f0900fa3.bin

Metasploit Framework and Pro Installers

https://github.com/rapid7/metasploit-framework/wiki/Downloads-by-Version