CVE-2023-30522 - Exploiting the permission flaw in Jenkins Fogbugz Plugin — Analysis, Example, and Exploit Details

_CVE-2023-30522_ is a critical vulnerability discovered in the Jenkins FogBugz Plugin version 2.2.17 and earlier. This vulnerability enables attackers with as little as Item/Read permission to start arbitrary builds, which should require more powerful permissions. Let’s break down what this means, how this flaw works, and give a walk-through demonstration with code snippets and references.

What’s the Issue?

Jenkins plugins often add automation and integration features, but they also come with security risks if not properly checked. In this case, the Fogbugz Plugin, designed for integrating FogBugz issue tracker with Jenkins, contains a route that starts builds of Jenkins jobs based on a jobname request parameter.

Problem: The plugin doesn’t properly check if the requester has permission to build the targeted job. Anyone with basic Item/Read rights can trigger builds they shouldn't be able to!

Official References

- Jenkins Security Advisory for CVE-2023-30522
- MITRE CVE Record
- FogBugz Plugin Source Code

Classic permission order in Jenkins

- Item/Read: View the job and some configurations.
- Job/Build: Start a build of the job.

Normally, triggering a build should require at least Job/Build. This vulnerability lets someone with just Item/Read _start_ a build. That’s big trouble if you have sensitive or production deployments.

Here’s a conceptual simulation of the flawed handler in the Fogbugz Plugin before the fix

// Jenkins Fogbugz plugin handler (simplified)
public void doBuildJob(StaplerRequest req, StaplerResponse rsp) throws IOException {
    String jobName = req.getParameter("jobname");
    Job<?,?> job = Jenkins.getInstance().getItemByFullName(jobName, Job.class);

    // FLAW: Only checks for Item.READ, not Job.BUILD
    if (job != null && job.hasPermission(Item.READ)) {
        job.scheduleBuild(new Cause.UserIdCause(), new Action[]);
        rsp.getWriter().println("Build triggered for: " + jobName);
    } else {
        rsp.sendError(HttpServletResponse.SC_FORBIDDEN, "No permission!");
    }
}

What’s Missing?
There’s no check for .hasPermission(Job.BUILD), so any user who can see the job (Item/Read) can _also build it_. Oops!

Prerequisites

- Attacker must be a Jenkins user (cannot be anonymous, unless Item/Read is public).

Steps

1. Gather Job Names  
Attacker views jobs they have _Item/Read_ to list exact names.

2. Craft the Exploit Request  
Send a request to the doBuildJob endpoint with a chosen job name.

3. Unwanted Build Triggered  
Jenkins builds the job—possibly running sensitive builds/disclosures/actions.

Here’s how it could look using curl (adjust the endpoint to your setup)

curl -u attacker:password \
  'https://jenkins.example.com/job/fogbugz/buildJob?jobname=SensitiveJob';

Or using POST, depending on the plugin endpoint usage.

Expected Output

Build triggered for: SensitiveJob

Check the Jenkins logs — you’ll see your unauthorized build executed!

Defense: How Was It Fixed?

The proper fix is simple: check for Job/Build permission as well as Item/Read.

Fixed code (conceptual)

if (job != null && job.hasPermission(Item.READ) && job.hasPermission(Job.BUILD)) {
    job.scheduleBuild(new Cause.UserIdCause(), new Action[]);
    rsp.getWriter().println("Build triggered for: " + jobName);
} else {
    rsp.sendError(HttpServletResponse.SC_FORBIDDEN, "No permission!");
}

Now, only those who can _actually build_ a job are able to trigger a job build.

Mitigation & Recommendations

- Update the plugin: Use Fogbugz Plugin 2.2.18 or later.

Summary Table

| Aspect                  | Detail                                                               |
|-------------------------|---------------------------------------------------------------------|
| Vulnerability       | CVE-2023-30522                                                      |
| Affected            | Jenkins Fogbugz Plugin <= 2.2.17                                    |
| Impact              | Any user with Item/Read can trigger build of any job (priv. escalate)|
| Patch               | Upgrade to Fogbugz Plugin >= 2.2.18                                 |
| Severity            | High                                                                |

Final Thoughts

_CVE-2023-30522_ is a reminder that Jenkins plugin APIs must always check for the correct permissions. If you run Jenkins with Fogbugz Plugin, update now — and always keep an eye on permission configuration.

For more details and plugin updates, check:  
- https://www.jenkins.io/security/advisory/2023-04-12/#SECURITY-3042  
- https://plugins.jenkins.io/fogbugz/

Timeline

Published on: 04/12/2023 18:15:00 UTC
Last modified on: 04/20/2023 20:12:00 UTC