CVE-2023-40340 - Jenkins NodeJS Plugin 1.6. Vulnerability: Credentials Exposure in Build Logs

Jenkins, one of the leading open-source automation servers, has discovered a vulnerability in its NodeJS Plugin (version 1.6. and earlier). This vulnerability, assigned as CVE-2023-40340, allows attackers to gain access to sensitive credentials specified in Npm config files due to improper masking in Pipeline build logs.

In this post, we will dive into the details of this vulnerability, including the code snippet, original references, and how one can exploit it. So, let's begin.

Vulnerability Details

Jenkins NodeJS Plugin helps Jenkins automatically detect and install NodeJS instances on build nodes, bind NodeJS tools, and manage NPM user configurations. Version 1.6. and earlier versions are found to contain a vulnerability that exposes sensitive credentials in the Npm config files.

The flaw resides in the improper masking of credentials in the Pipeline build logs. When the pipeline job is executed, the credentials are supposed to be replaced with asterisks () to prevent unauthorized access. However, due to a programming oversight, these credentials are not replaced with asterisks and are exposed in the build logs.

The following code snippet demonstrates the issue of improper masking in the Jenkins NodeJS Plugin

//... Inside Jenkinsfile

withEnv(["PATH+NODEJS=${tool 'tool-name'}"]) {
  sh 'npm config list'
  sh 'node app.js'
}

//...

In the above Jenkinsfile example, the npm config list command prints out the configuration values in the build logs, including sensitive credential information that should have been masked.

Jenkins Security Advisory

- https://www.jenkins.io/security/advisory/2023-01-23/#SECURITY-2907

CVE-2023-40340 Record

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40340

Exploit Details

An attacker can exploit this vulnerability by obtaining the exposed credentials in the build logs. This can lead to unauthorized access to sensitive systems or resources that are protected using these credentials. To successfully exploit the vulnerability, the attacker must have access to view the affected Jenkins Pipeline build logs containing the exposed credentials. This can be achieved through various methods such as:

Mitigation and Recommendations

Jenkins NodeJS Plugin users, especially those using version 1.6. or earlier, are advised to take the following mitigation steps to protect themselves from this vulnerability:

1. Update to Jenkins NodeJS Plugin version 1.6.1 or later, which has resolved this vulnerability. The plugin can be downloaded from the Jenkins Plugin Manager or directly from the following URL: https://plugins.jenkins.io/nodejs

Conclusion

Jenkins NodeJS Plugin 1.6. and earlier versions contain a vulnerability (CVE-2023-40340) that exposes credentials in the Pipeline build logs due to improper masking. Organizations and users are strongly advised to update their Jenkins NodeJS Plugin to the latest version (1.6.1 or later) and implement the mitigation steps mentioned above. Stay vigilant and secure your Jenkins environment from potential threats.

Timeline

Published on: 08/16/2023 15:15:00 UTC
Last modified on: 08/22/2023 18:56:00 UTC