CVE-2022-43431 An earlier Compuware Strobe Measurement Plugin didn't perform permission checks, which allowed attackers with Overall/Read permission to enumerate credentials IDs.

Performing a permission check on the HTTP endpoint would have prevented the issue. In Jenkins Enterprise, this issue has been fixed in the latest 1.651 release (release notes), and in other installations it has been fixed in the latest 1.651.1 release. In the 1.651 release, Jenkins forcibly disables the HTTP endpoint that was vulnerable to this issue by default. You can re-enable it by updating the configuration in the UI. In order to mitigate against this issue, we recommend that you: Update to the latest version of Jenkins.
When installing a new version of Jenkins, you will be prompted to restart the service.

Jenkins Compuware Strobe Measurement Plugin 1.0.1 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

What is Strobe?

Strobe is an open source enterprise-class, continuous integration and continuous delivery platform that integrates with Jenkins.

Overview of Strobe Measurement Plugin

The Strobe Measurement Plugin for Jenkins provides a web interface to allow users to view, create, update, and delete credentials stored in Jenkins.

Overview of the Issue

The issue starts when attackers create a Jenkins project with Overall/Read permissions and then use the Jenkins HTTP endpoint to store credentials IDs of credentials stored in Jenkins. The attacker can later retrieve those credentials IDs by accessing the HTTP endpoint.

Performing a permission check on the HTTP endpoint would have prevented this issue. In Jenkins Enterprise, this issue has been fixed in the latest 1.651 release (release notes), and in other installations it has been fixed in the latest 1.651.1 release. In the 1.651 release, Jenkins forcibly disables the HTTP endpoint that was vulnerable to this issue by default. You can re-enable it by updating the configuration in the UI. In order to mitigate against this issue, we recommend that you: Update to the latest version of Jenkins.
When installing a new version of Jenkins, you will be prompted to restart the service.

Summary of CVE-2022-43431

The vulnerability exists in the Jenkins Compuware Strobe Measurement Plugin 1.0.1 and earlier, when it does not perform a permission check for HTTP endpoints, which allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
To mitigate against this issue, we recommend that you upgrade to the latest version of the plugin, or update to an older version if already installed. When installing a new version of the plugin, you will be prompted to restart the service.

Timeline

Published on: 10/19/2022 16:15:00 UTC
Last modified on: 10/22/2022 02:25:00 UTC

References

• https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2631
• http://www.openwall.com/lists/oss-security/2022/10/19/3
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-43431