Jenkins is a widely used automation server in software development. Many teams depend on Jenkins for building, testing, and deploying code. For easy and secure sign-in, plugins like "Jenkins GitLab Authentication Plugin" are very popular. However, in July 2023, security researchers discovered a dangerous bug - CVE-2023-39153. This flaw made it possible for attackers to hijack user sessions using a common web attack called CSRF (Cross-Site Request Forgery).
In this article, we'll break down what CVE-2023-39153 is, how it can be exploited, and show you code examples. If you use Jenkins, keep reading—you need to know about this!
What is CVE-2023-39153?
CVE-2023-39153 is a CSRF vulnerability in the "Jenkins GitLab Authentication Plugin" versions 1.17.1 and earlier. Attackers can exploit this bug to trick users into logging in to Jenkins as the attacker—giving the attacker a way to perform any Jenkins actions as that user. It’s especially dangerous for Jenkins administrators.
The bug lives in the plugin’s login endpoint, which didn’t have enough protection against CSRF attacks.
Reference:
- Jenkins Security Advisory 2023-07-12
- NIST NVD Entry for CVE-2023-39153
How Does the Attack Work?
A CSRF attack happens when a user is tricked (via a link or webpage) into making an unwanted request to an app they’re logged into. If the app’s endpoints don’t verify these requests, an attacker can act as if they were the user.
An attacker logs in to their own GitLab account.
2. The attacker crafts a URL or webpage that makes a login request to Jenkins—using their own GitLab account’s credentials.
3. The attacker convinces a victim (who has access to Jenkins) to visit the malicious link or webpage (for example, via email, social media, or a compromised site).
Without proper CSRF checks, the victim unknowingly logs in to Jenkins as the attacker.
Now, whenever the victim performs Jenkins actions, they’re actually doing so under the attacker’s identity!
Simple Exploit Example
Don’t try this on live systems! Here’s how a simple attack snippet might look in real life.
Suppose Jenkins is running at https://jenkins.example.com.
The attacker prepares a page like
<!-- Attacker's malicious page -->
<html>
<body>
<h1>Click to see the cute cat!</h1>
<img src="https://jenkins.example.com/securityRealm/commenceLogin?from=%2F" style="display:none" />
<script>
// Auto-submit a POST or follow login redirects if needed
// Can be made more complex to auto-login as the attacker's linked GitLab account
</script>
</body>
</html>
Or, the attacker can send a crafted POST request using JavaScript, or even just get the victim to click a special login link.
If the plugin doesn’t protect against CSRF, the victim will be logged in as the attacker when they visit Jenkins.
What’s Missing? Where’s the CSRF Protection?
Normally, web apps that allow logins or data-changing actions should check for a CSRF token—a hidden random value unique to the session. Without this token, requests from third-party sites (like a malicious page) get blocked.
In versions of the plugin up to 1.17.1, the /securityRealm/commenceLogin endpoint didn’t check for any CSRF token. Any website could send a login request on behalf of victims.
Proof of Concept: Exploiting CVE-2023-39153
You could use a cURL command, sending requests from the browser, or put a form on a malicious website:
<form action="https://jenkins.example.com/securityRealm/commenceLogin" method="GET">
<input type="hidden" name="from" value="/" />
<input type="submit" value="Log in for Free Stuff!" />
</form>
If the victim is logged into Jenkins and visits the attacker's page, they'll hit that endpoint without any warning and be logged in as the attacker's GitLab account.
How Do I Protect My Jenkins?
The Solution:
*Upgrade the "Jenkins GitLab Authentication Plugin" to version 1.18 or later.*
Jenkins fixed the bug by adding CSRF protection. Always keep plugins current, and review plugin changelogs for security advisories.
Educate your team on phishing and suspicious links.
- If you’re unsure, review Jenkins’ official security documentation.
Want to Read More?
- Jenkins Plugin Security
- CVE-2023-39153 – NVD Description
- Official Jenkins GitHub – GitLab Auth Plugin
Summary
CVE-2023-39153 was a critical bug in a popular Jenkins plugin, exposing devs and companies to account hijacking via simple web tricks. The fix is easy—update your plugin. Always stay up-to-date, and keep alert for new advisories. Don’t let a simple oversight put your builds, and your business, at risk!
Timeline
Published on: 07/26/2023 14:15:00 UTC
Last modified on: 07/31/2023 18:14:00 UTC