In September 2023, a security vulnerability labeled CVE-2023-41947 was disclosed in the Jenkins ecosystem. The bug was found in the Frugal Testing Plugin up to version 1.1. This vulnerability is serious because it allows attackers with only basic (Overall/Read) permissions in Jenkins to connect to any Frugal Testing account using their own credentials—essentially bypassing intended access restrictions.
Jenkins Frugal Testing Plugin: Quick Overview
Jenkins is a leading open-source automation server, widely used for building, testing, and deploying software. Plugins extend Jenkins’s functionality to many kinds of environments and services.
Frugal Testing Plugin integrates Jenkins with Frugal Testing, a cloud-based platform for load and performance testing.
What is CVE-2023-41947?
In versions 1.1 and earlier, the Frugal Testing Plugin for Jenkins failed to check user permissions correctly when connecting to Frugal Testing.
What’s the Impact?
- Anyone with basic read access (Overall/Read permission) can supply arbitrary Frugal Testing service credentials.
- This means users who should not be able to run or control tests on external systems can do so by specifying their own external accounts.
- The plugin should verify that only authorized, higher-privileged users can connect to and configure these external integrations.
Why is this Dangerous?
- Attackers can use company Jenkins systems to connect to their own (or malicious) Frugal Testing accounts.
Potential for data exfiltration or abuse of company Jenkins resources.
- Possible exposure of build/test pipeline secrets or sensitive metadata.
Exploit Details
The root cause is a missing permission check on the endpoint or code responsible for connecting to Frugal Testing with user-supplied credentials.
Step-by-Step Attack
1. Attacker logs in with any Jenkins account that has Overall/Read permissions.
Jenkins connects using the provided credentials—without blocking the attacker.
Expected behavior: Only admins or specifically authorized users should be able to connect or configure third-party integrations.
Here’s what typical Jenkins plugin code should do when checking for permissions
// Proper permission check
public FormValidation doTestConnection(@QueryParameter String apiKey, ...) {
// Ensure only admins can use this
Jenkins.get().checkPermission(Jenkins.ADMINISTER);
...
}
But in the vulnerable version, the check is missing:
// Vulnerable: Permission check is missing!
public FormValidation doTestConnection(@QueryParameter String apiKey, ...) {
// No call to Jenkins.get().checkPermission()
...
}
Login into Jenkins as that user.
2. Navigate to “Manage Jenkins” > “Configure System”, or directly access the plugin’s endpoint.
You could send a direct HTTP POST to the endpoint with your own credentials
POST /jenkins/frugalTesting/testConnection HTTP/1.1
Host: jenkins.example.com
Cookie: JSESSIONID=...
Content-Type: application/x-www-form-urlencoded
apiKey=ATACKER_API_KEY&otherParam=...
If exploited successfully, Jenkins will respond with a valid connection message.
How To Fix
Upgrade to Frugal Testing Plugin version 1.2 or later where the proper permission checks are in place.
References
- Jenkins Security Advisory (September 2023)
- NVD entry for CVE-2023-41947
- Frugal Testing Plugin source code
Conclusion
CVE-2023-41947 is a classic example of why permission checks are critical in CI/CD systems. If you use Jenkins with Frugal Testing integration, make sure you’re running the latest plugin version. Always audit plugin access and limit permissions wherever possible.
If you found this useful or want to learn more about Jenkins security, check out the references above and stay tuned for more security breakdowns!
Timeline
Published on: 09/06/2023 13:15:00 UTC
Last modified on: 09/11/2023 19:06:00 UTC