CVE-2023-41933: Jenkins Job Configuration History Plugin Vulnerable to XML External Entity Attacks

Recently, a critical vulnerability has been discovered in Jenkins Job Configuration History Plugin (versions 1227.v7a_79fc4dc01f and earlier) which exposes users to XML External Entity (XXE) attacks. This vulnerability has been assigned the CVE identifier CVE-2023-41933. As Jenkins is widely used for continuous integration and continuous delivery, this vulnerability poses a significant risk to numerous projects and applications. In this blog post, we will discuss the details of this vulnerability, its impacts, and recommended mitigation strategies.

Exploit Details

CVE-2023-41933 is a result of the Jenkins Job Configuration History Plugin not properly configuring its XML parser to prevent XXE attacks. XXE attacks exploit how XML parsers handle external entities, allowing attackers to execute harmful actions or access sensitive data stored on a victim's infrastructure. In the case of the Jenkins Job Configuration History Plugin, this could be exploited by an attacker through specially crafted XML data.

To better understand this vulnerability, let's take a look at an example of an XXE payload that could be used to exploit CVE-2023-41933:

<?xml version="1." encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<foo>&xxe;</foo>

In this example, the attacker's payload attempts to read the contents of a sensitive file ("/etc/passwd") located on the Jenkins server. If the XML parser is not properly configured to prevent XXE attacks, processing this malicious input would lead to unauthorized access to sensitive data, potentially compromising the system.

For more information on CVE-2023-41933, you can refer to the following original references

- CVE Details - CVE-2023-41933
- Jenkins Security Advisory 2023-01-15

Mitigating CVE-2023-41933

To mitigate CVE-2023-41933, you should update your Jenkins Job Configuration History Plugin to version 1227.v7a_79fc4dc01f+1 or later, which has been released to address this vulnerability. This updated version will ensure that the XML parser is properly configured to protect against XXE attacks.

Check the box next to the plugin and click the "Download and Install" button.

Once the plugin is updated, your Jenkins instance will be protected from CVE-2023-41933.

Conclusion

In conclusion, CVE-2023-41933 is a critical vulnerability affecting Jenkins Job Configuration History Plugin. Due to the widespread use of Jenkins, it is essential to remediate this vulnerability in your instance as soon as possible. Updating the plugin to version 1227.v7a_79fc4dc01f+1 or later is sufficient to protect against potential XXE attacks. To ensure the ongoing security of your continuous integration and continuous delivery pipelines, we recommend routinely checking for updates and keeping a close eye on security advisories related to Jenkins and its plugins.

Timeline

Published on: 09/06/2023 13:15:00 UTC
Last modified on: 09/11/2023 20:33:00 UTC