Jenkins Plugin Flaw Lets Attackers Gain Admin Access

A recent security advisory from Jenkins reported that they had fixed 24 vulnerabilities affecting multiple Jenkins plugins.

This Flaw includes 5 High, 18 Medium, and 1 Low severity vulnerabilities.

Patches have been released for some of the affected plugins, while others are still under development.

Affected Plugins and their Versions

The list of affected Jenkins plugins includes,

• Active Directory Plugin up to and including 2.30
• Assembla Auth Plugin up to and including 1.14
• Benchmark Evaluator Plugin up to and including 1.0.1
• Datadog Plugin up to and including 5.4.1
• ElasticBox CI Plugin up to and including 5.0.1
• External Monitor Job Type Plugin up to and including 206.v9a_94ff0b_4a_10
• mabl Plugin up to and including 0.0.46
• MathWorks Polyspace Plugin up to and including 1.0.5
• OpenShift Login Plugin up to and including 1.1.0.227.v27e08dfb_1a_20
• Oracle Cloud Infrastructure Compute Plugin up to and including 1.0.16
• Orka by MacStadium Plugin up to and including 1.33
• Pipeline restFul API Plugin up to and including 0.11
• Rebuilder Plugin up to and including 320.v5a_0933a_e7d61
• SAML Single Sign On(SSO) Plugin up to and including 2.3.0
• Sumologic Publisher Plugin up to and including 2.2.1
• Test Results Aggregator Plugin up to and including 1.2.13

CVE(s):

The list of CVEs, severity, and their related affected plugin are as mentioned below,

CVE ID	Severity	Description	Affected Plugin
CVE-2023-37946	High	Session fixation vulnerability in OpenShift Login Plugin	OpenShift Login Plugin 1.1.0.227.v27e08dfb_1a_20 and earlier
CVE-2023-37957	High	CSRF vulnerability in Pipeline restFul API Plugin	Pipeline restFul API Plugin 0.11 and earlier
CVE-2023-37952, CVE-2023-37953	High	CSRF vulnerability and missing permission checks in mabl Plugin allow capturing credentials	mabl Plugin 0.0.46 and earlier
CVE-2023-37942	High	XXE vulnerability in External Monitor Job Type Plugin	External Monitor Job Type Plugin 206.v9a_94ff0b_4a_10 and earlier
CVE-2023-37961	Medium	CSRF vulnerability in Assembla Auth Plugin	Assembla Auth Plugin 1.14 and earlier
CVE-2023-37947	Medium	Open redirect vulnerability in OpenShift Login Plugin	OpenShift Login Plugin 1.1.0.230.v5d7030b_f5432 and earlier
CVE-2023-37954	Medium	CSRF vulnerability in Rebuilder Plugin	Rebuilder Plugin 320.v5a_0933a_e7d61 and earlier
CVE-2023-37948	Medium	Missing SSH host key validation in Oracle Cloud Infrastructure Compute Plugin	Oracle Cloud Infrastructure Compute Plugin 1.0.16 and earlier
CVE-2023-37958, CVE-2023-37959	Medium	CSRF vulnerability and missing permission checks in Sumologic Publisher Plugin	Sumologic Publisher Plugin 2.2.1 and earlier
CVE-2023-37962, CVE-2023-37963	Medium	CSRF vulnerability and missing permission checks in Benchmark Evaluator Plugin	Benchmark Evaluator Plugin 1.0.1 and earlier
CVE-2023-37955,  CVE-2023-37956	Medium	CSRF vulnerability and missing permission check in Test Results Aggregator Plugin	Test Results Aggregator Plugin 1.2.13 and earlier
CVE-2023-37960	Medium	Arbitrary file read vulnerability in MathWorks Polyspace Plugin	MathWorks Polyspace Plugin 1.0.5 and earlier
CVE-2023-37949	Medium	Missing permission check in Orka by MacStadium Plugin allows capturing credentials	Orka by MacStadium Plugin 1.33 and earlier
CVE-2023-37944	Medium	Missing permission check in Datadog Plugin allows capturing credentials	Datadog Plugin 5.4.1 and earlier
CVE-2023-37964, CVE-2023-37965	Medium	CSRF vulnerability and missing permission checks in ElasticBox CI Plugin allow capturing credentials	ElasticBox CI Plugin 5.0.1 and earlier
CVE-2023-37950	Medium	Missing permission check in mabl Plugin allows enumerating credentials IDs	mabl Plugin 0.0.46 and earlier
CVE-2023-37951	Medium	Exposure of system-scoped credentials in mabl Plugin	mabl Plugin 0.0.46 and earlier
CVE-2023-37945	Medium	Missing permission check in SAML Single Sign On(SSO) Plugin	SAML Single Sign On(SSO) Plugin 2.3.0 and earlier
CVE-2023-37943	Low	Password transmitted in plain text by Active Directory Plugin	Active Directory Plugin 2.30.1 and earlier

High Severity Vulnerabilities

CVE-2023-37946: Session Fixation Vulnerability

This vulnerability exists due to improper session management in the OpenShift Login Plugin due to which previous sessions are not invalidated. This can allow threat actors to gain administrator access with social engineering techniques.

The CVSS Score for this vulnerability is yet to be confirmed.

CVE-2023-37957: CSRF vulnerability in Pipeline

This vulnerability exists due to the lack of POST requests to an HTTP endpoint which results in Cross-Site Request Forgery (CSRF).

An attacker can connect to Jenkins with an attacker-specified URL resulting in the impersonation of a victim with a newly generated JCLI token. The CVSS Score for this vulnerability is yet to be confirmed.

CVE-2023-37952, CVE-2023-37953: CSRF Vulnerability and Missing Permission

A vulnerability exists as several HTTP endpoints do not perform permission checks which allows threat actors to obtain the connection to Jenkins with Overall/Read permissions through attacker-specified URL and credential IDs collected with another method.

In addition to this, these endpoints do not require POST requests which result in Cross-Site Request Forgery. The CVSS Score for these vulnerabilities is yet to be confirmed.

CVE-2023-37942: XXE vulnerability in External Monitor

This vulnerability exists due to the misconfiguration of the XML parser, which prevents External XML Entity (XXE) attacks.

This allows threat actors to parse a crafted HTTP request with XML data that results in the extraction of sensitive information from Jenkins Controller or Server-Side Request Forgery (SSRF).

The CVSS Score for this vulnerability is yet to be confirmed.

Fixed Plugins

Jenkins has fixed some of the affected plugins, which include,

• Active Directory Plugin should be updated to version 2.30.1
• Datadog Plugin should be updated to version 5.4.2
• External Monitor Job Type Plugin should be updated to version 207.v98a_a_37a_85525
• mabl Plugin should be updated to version 0.0.47
• OpenShift Login Plugin should be updated to version 1.1.0.230.v5d7030b_f5432
• Oracle Cloud Infrastructure Compute Plugin should be updated to version 1.0.17
• Orka by MacStadium Plugin should be updated to version 1.34
• SAML Single Sign On(SSO) Plugin should be updated to version 2.3.1

Unfixed Plugins

The plugins for which fixes are not available include,

• Assembla Auth Plugin
• Benchmark Evaluator Plugin
• ElasticBox CI Plugin
• MathWorks Polyspace Plugin
• Pipeline restFul API Plugin
• Rebuilder Plugin
• Sumologic Publisher Plugin
• Test Results Aggregator Plugin

Users of these Jenkins plugins are advised to upgrade to the latest versions to avoid unauthorized access to systems. Other plugins are still being fixed, and patches are yet to be made available.

More details about all these vulnerabilities can be found on the Jenkins Security Advisory Page.