CVE-2022-43414 Jenkins NUnit Plugin 0.27 and earlier has an agent-to-controller message that parses files as test results, allowing attackers to control agent processes to obtain test results from files in the attacker's specification.

This can lead to information leakage from the Jenkins environment, such as revealing credentials or sensitive data. Jenkins is not vulnerable to this issue if you are running tests on a different system or creating tests that do not use the Jenkinsfile.

1. Jenkins is vulnerable to a directory traversal attack in the Agent-to-Controller interface, enabling attackers to inject arbitrary commands into the Jenkins environment. Jenkins is not vulnerable to this issue if you are running tests on a different system or creating tests that do not use the Jenkinsfile. End users and administrators are advised to consider making sure that Jenkins is not running on a system where user account and/or system configuration settings are such that an attacker could leverage this vulnerability for malicious purposes. For example, it may be beneficial to ensure that Jenkins is not running on a system where the agent home directory is writable by any user.

2

. Jenkins is vulnerable to a code injection attack in the Authentication Plugin that can be used to inject arbitrary java bytecode to any user running a Jenkins server instance. This could enable attackers to execute arbitrary commands within the Jenkins environment and gain elevated privileges. This issue was introduced in version 1.641 of the Jenkins Agent, which was released on November 8th, 2017. The vulnerability exists because of an out-of-date dependency on the Apache Commons Daemon library for Java which did not include a fix for CVE-2017-14705.

Vulnerable code example (Jenkinsfile)

2. An attacker could leverage this vulnerability to gain access to Jenkins environment and execute arbitrary commands with root privileges.
1. In the Agent-to-Controller interface, attackers can inject arbitrary commands into the Jenkins environment by executing a directory traversal attack (CVE-2022-43414).
2. In any other scenario, an attacker could leverage this vulnerability to execute files or scripts at the Jenkins agent home directory with root privileges (CVE-2022-43414).
3. This vulnerability is not exploitable in the Developer IDE because it uses completely different code paths than the Agent-to-Controller interface.
4. The Developer IDE is not vulnerable to any of these vulnerabilities because it uses different code paths for building projects and executing tests, which are not vulnerable to CVEs 2022–43414 (Directory traversal) and 2023–60125 (Root privilege escalation).
5. Administrators may consider disabling web services and web console on all agents as a mitigation until a more permanent fix can be made available.

Timeline

Published on: 10/19/2022 16:15:00 UTC
Last modified on: 10/21/2022 03:14:00 UTC

References

• https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2551
• http://www.openwall.com/lists/oss-security/2022/10/19/3
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-43414