CVE-2023-24428 - How CSRF in Jenkins Bitbucket OAuth Plugin Lets Attackers Hijack Logins

---

What is CVE-2023-24428?

CVE-2023-24428 is a serious security vulnerability found in the Jenkins Bitbucket OAuth Plugin, affecting versions .12 and earlier. If your Jenkins server uses this plugin to help users log in with Bitbucket accounts, attackers can trick people into logging in as the attacker. That puts your builds and secrets at risk.

Let’s break it down in simple language so you can understand what it is, how it works, how attackers exploit it, and what you need to do.

Understanding the Problem: CSRF in Jenkins Bitbucket OAuth

Cross-Site Request Forgery (CSRF) is a web attack where users do something they didn’t mean to, just by visiting a webpage. In this case, the Jenkins Bitbucket OAuth Plugin didn’t protect its login endpoint against these attacks. That means, if you visit a malicious page while logged out, you could end up unknowingly logging in to Jenkins — but not with your account. You’ll get logged into Jenkins as the attacker!

Why is this bad?  
This gives the attacker access to Jenkins as you (depending on how tokens are managed), and opens Jenkins up to further attacks, leaks, or unwanted actions.

Vulnerable Code Walkthrough

The issue is in the route or handler in Jenkins Bitbucket OAuth Plugin where users are redirected for login without checking if the action was intended by the user. CSRF protection (like checking for a special token) was missing.

For example, this is what a vulnerable endpoint might look like

// Pseudo-code from vulnerable plugin
@POST
public HttpResponse doLogin() {
    // No CSRF token check...
    // Start OAuth flow
    // The attacker can trigger this with any session
    ...
}

The plugin should be checking for a CSRF “crumb,” but in vulnerable versions, it does not.

`html

https://jenkins.example.com/securityRealm/commenceLogin?from=/&oauthProvider=bitbucket" style="display:none;">

Jenkins, without checking for CSRF tokens, starts the OAuth flow.

6. When the victim follows the Bitbucket login, they get logged in not as themselves, but as the attacker's Bitbucket account!
7. Attacker can now make the victim perform actions as the attacker, or possibly steal session cookies, depending on the Jenkins setup.

Example of a CSRF Exploit Snippet

<!-- Malicious HTML on attacker's page -->
<img src="https://jenkins.company.com/securityRealm/commenceLogin?from=/"; style="display:none;">

That’s all it takes. No JavaScript needed. If the cookies and session are aligned, the attack can succeed silently.

Original References

- Jenkins Security Advisory 2023-03-08
- Jenkins Bitbucket OAuth Plugin GitHub
- NVD Entry CVE-2023-24428

Fix and Mitigation

The fix for CVE-2023-24428 is simple: Upgrade the Bitbucket OAuth Plugin to version .13 or later.  
You can find the fixed release here:  
Jenkins Plugins - Bitbucket OAuth

Additionally, always enable *"Prevent Cross Site Request Forgery exploits"* (CSRF protection/"crumbs") in Jenkins' security settings.

Enable CSRF protection:

Manage Jenkins → Configure Global Security → Enable "Prevent Cross Site Request Forgery exploits"

Final Thoughts

Bitbucket OAuth integration is a must-have convenience for many Jenkins environments. However, this vulnerability shows how forgetting CSRF tokens can make login flows unsafe.

Always keep plugins up to date, review the security advisories, and enable CSRF protection in Jenkins.

If you want to learn more read the Jenkins advisory and install the fixed plugin now!

Timeline

Published on: 01/26/2023 21:18:00 UTC
Last modified on: 02/04/2023 02:06:00 UTC