CVE-2022-41249 The Jenkins SCM HttpClient Plugin 1.5 and earlier has a CSRF vulnerability that allows attackers to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method.

If the same credentials are stored in other applications, those applications may be compromised, resulting in a credential disclosure. In addition to being able to access the Jenkins system, an attacker may also be able to escalate their privileges on the Jenkins system. This can be done by installing a plugin that provides a new permission on the system, or by installing a plugin that provides a new capability on the Jenkins system. It is advised not to store credentials where the risk of an attacker accessing those credentials is high. For example, storing sensitive credit card numbers in Jenkins is a high risk scenario.

Manual Steps to Mitigate Jenkins Credential Disclosure Risk

Manually changing the credentials in Jenkins is possible, but it is not recommended. If you choose to manually change the credentials, follow these steps:
1. On the Jenkins host from where Jenkins was launched, open a terminal window and execute these commands:
sudo su -
cd /var/jenkins/secrets
2. Locate and rename the credential file to something else that does not contain any sensitive information. For example, "my-secret-credential" becomes "my-new-credential".
3. Open the Jenkins configuration file and make a backup copy of it before editing anything in it. Use the following command to open the configuration file:
sudo vi /var/jenkins/configuration.xml
4. Within this document, locate the

How to protect against credential disclosure in Jenkins?

One of the most common ways to protect against credential disclosure in Jenkins is by using the GitLab plugin, which automatically encrypts credentials before they are saved. This plugin can be configured to encrypt sensitive data, such as a user name and password. By default, this plugin will encrypt sensitive information with a unique string that is generated on each system. It also generates a unique key for each new encrypted set of information. These values are stored in the Jenkins database and any changes made to them will be reflected in the encrypted data and vice versa.

Fixation of Credential in Jenkins

If the same credentials are stored in other applications, those applications may be compromised, resulting in a credential disclosure. In addition to being able to access the Jenkins system, an attacker may also be able to escalate their privileges on the Jenkins system. This can be done by installing a plugin that provides a new permission on the system, or by installing a plugin that provides a new capability on the Jenkins system. It is advised not to store credentials where the risk of an attacker accessing those credentials is high. For example, storing sensitive credit card numbers in Jenkins is a high risk scenario.

Timeline

Published on: 09/21/2022 16:15:00 UTC
Last modified on: 09/22/2022 18:37:00 UTC

References

• https://www.jenkins.io/security/advisory/2022-09-21/#SECURITY-2708
• http://www.openwall.com/lists/oss-security/2022/09/21/5
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-41249