CVE-2023-40344 - How a Simple Permission Check Failure in Jenkins Delphix Plugin Exposes Credential IDs
In the fast-moving world of DevOps, Jenkins plugins play a big role in extending core functionality. But sometimes, even a small oversight in plugin code can have critical security impacts. That’s the story behind CVE-2023-40344, a vulnerability in the Delphix Plugin for Jenkins (versions 3..2 and earlier).
What’s the Problem with Delphix Plugin?
The Delphix Plugin helps Jenkins users automate data operations with Delphix. However, it had a missing permission check for a web endpoint that lets users list credential IDs. Normally, only users with explicit privileges should enumerate credentials. But due to this oversight, any Jenkins user with basic "Overall/Read" permission could get a list of credential IDs, even if they couldn’t see the secrets themselves.
While credentials can’t be directly read, knowing which credential IDs exist can help attackers in several ways:
Diving into the Vulnerable Code
The vulnerable endpoint was /descriptorByName/com.delphix.jenkins.DelphixCredential/select. This served autocomplete or credential enumeration data for the plugin's web UI.
Here’s a simplified (and sanitized) example of how this looked in code
// Delphix Plugin Credential API handler snippet (before fix)
public ListBoxModel doFillCredentialIdItems(@QueryParameter String value) {
// MISSING: Permission check
ListBoxModel items = new ListBoxModel();
for (Credentials c : CredentialsProvider.lookupCredentials(
StandardUsernamePasswordCredentials.class,
Jenkins.get(), null, Collections.emptyList())) {
items.add(c.getId());
}
return items;
}
There’s no line like
if (!Jenkins.get().hasPermission(Jenkins.ADMINISTER)) {
return Collections.emptyList();
}
or even
Jenkins.get().checkPermission(Jenkins.ADMINISTER);
which would block unauthorized users. Even if you only have "Overall/Read" on Jenkins, you can call this method and get all credential IDs.
How the Exploit Works
A real attack is straightforward if you have a regular Jenkins user account (with Overall/Read permission):
`
GET /jenkins/descriptorByName/com.delphix.jenkins.DelphixCredential/select
delphix-prod-key
delphix-stage-key
You can test this with a simple curl command after logging in and grabbing your session cookie
curl -b "JSESSIONID=xxxx" "https://jenkins.example.com/jenkins/descriptorByName/com.delphix.jenkins.DelphixCredential/select";
They can understand naming patterns (e.g., prod-aws-key, ci-deploy).
- Sometimes other scripts or endpoints might accept a credential ID as input—knowing valid ones is half the battle.
It’s also a broader problem for organizations with many users: least-privilege principles are violated.
Delphix Plugin 3..3 fixed the vulnerability by adding a proper permission check.
- Now, only users with relevant Credentials/View or higher (i.e., admin-level) permissions can enumerate credential IDs with this endpoint.
You can read Jenkins' official advisory here:
➡️ Jenkins Security Advisory 2023-08-16: SECURITY-315
➡️ NVD Entry: CVE-2023-40344
Audit your Jenkins plugins for other similar permission issues.
3. Limit Jenkins user permissions: Only give Overall/Read to users who need it, and restrict access to sensitive endpoints.
TL;DR
Jenkins Delphix Plugin before 3..3 let any logged-in user see credential IDs, thanks to a missing permission check. Upgrade now, and always check your plugin endpoints for proper permission enforcement!
*Stay safe, and keep those CI/CD secrets secret!*
CVE-2023-40344 entry:
https://nvd.nist.gov/vuln/detail/CVE-2023-40344
Jenkins Security Advisory:
https://www.jenkins.io/security/advisory/2023-08-16/#SECURITY-315
Delphix Plugin page:
https://plugins.jenkins.io/delphix/
*The above breakdown is custom-written for this request and not copied from any other public writeup.*
Timeline
Published on: 08/16/2023 15:15:00 UTC
Last modified on: 08/18/2023 20:01:00 UTC