If you’re using Jenkins for continuous integration (CI/CD), you likely depend on plugins to extend its core functionality. But plugins can sometimes introduce security holes. One such example is CVE-2023-40338, a vulnerability found in the Folders Plugin prior to version 6.847.v24698686ff7. This issue may expose sensitive data about your Jenkins server's file system to unauthorized users.
In this deep dive, we’ll walk you through what CVE-2023-40338 is, how it could affect you, what the code looks like, how someone might exploit it, and (most importantly) what you should do about it.
What is CVE-2023-40338?
CVE-2023-40338 is an information disclosure vulnerability that affects Folders Plugin 6.846.v23698686ff6 and earlier. If you try to access the Scan Organization Folder Log for a folder that doesn't have an existing log, Jenkins returns an error message showing the absolute path of the log file on the server. This accidentally exposes some internal structure about your Jenkins controller’s file system, which could be used in further attacks.
Severity: Medium
Impact: Information leakage (specifically, absolute file system paths)
> Good to know: While this vulnerability doesn't let an attacker run code or directly access files, any exposure of internal file paths could help attackers in planning more serious exploits later.
How Does the Vulnerability Work?
Whenever you view the scan log for an organization folder in Jenkins and no log file exists, the plugin tries to show a helpful error. Unfortunately, that error includes something like this:
No log available at '/var/lib/jenkins/jobs/org-folder/org.jenkinsci.plugins.folder.Folder.log'
The path in single quotes shows exactly where that file would be on the Jenkins server. If you display this error to an unauthorized user, you’re giving away details about your server’s directory layout.
Attacker logs in or accesses a Jenkins instance.
(Depending on your permissions setup, even low-privileged users or anonymous visitors might trigger this.)
Jenkins shows an error revealing the full absolute path:
`text
No log available at '/var/lib/jenkins/jobs/top-secret-folder/org.jenkinsci.plugins.folder.Folder.log'
Attacker repeats this for other folders, mapping out the directory structure.
5. They use this info to craft more targeted attacks, like attempting directory traversal, path guessing, or chaining with other vulnerabilities.
Here’s a simplified example of code that might be at fault
File logFile = getLogFileForFolder(folder);
if (!logFile.exists()) {
// BAD: This leaks the absolute path in the error message
response.sendError(404, "No log available at '" + logFile.getAbsolutePath() + "'");
} else {
// Serve the log...
}
Notice how logFile.getAbsolutePath() is directly echoed back to the user in the error message.
Real-World Impact
It might not seem like a big deal to leak a file path, but attackers *love* these breadcrumbs. Knowing something is at /var/lib/jenkins/jobs/ could help them:
Perform targeted attacks on Jenkins infrastructure
- Enumerate organization/folder names
How to Fix or Mitigate
CloudBees (the maintainers of the plugin) have fixed this in Folders Plugin version 6.847.v24698686ff7. Here’s what you should do:
Update the Folders Plugin to at least 6.847.v24698686ff7 via the Jenkins Update Center.
2. Restrict user permissions: Make sure only authorized users have access to scan logs, especially on your controller node.
References
- CVE-2023-40338 on NIST
- Jenkins Security Advisory 2023-08-30
- Folders Plugin changelog
- Original Issue on Jenkins Jira
Bottom Line
CVE-2023-40338 is a good reminder that even small information leaks can matter. If you run Jenkins, patch your plugins promptly, and always keep a cautious eye on what your users can see. Paths are secrets too!
Questions or comments? Share them below! And always remember—don’t wait for an attack to start before you patch. Stay safe, and happy building!
# TL;DR for sysadmins
Folders Plugin <= 6.846.v23698686ff6 leaks absolute paths in error messages.
Update to 6.847.v24698686ff7 or later ASAP.
Timeline
Published on: 08/16/2023 15:15:00 UTC
Last modified on: 08/22/2023 18:50:00 UTC