CVE-2022-25184 - Jenkins Pipeline: Build Step Plugin 2.15 and earlier - Password Parameter Exposure in Pipeline Snippet Generator

Jenkins, an open-source continuous integration and continuous deployment automation tool, has an ongoing security vulnerability CVE-2022-25184 in its Pipeline: Build Step Plugin version 2.15 and earlier. This vulnerability exposes the password parameter default values when generating a pipeline script using the Pipeline Snippet Generator. As a result, attackers with Item/Read permission can easily retrieve the default password parameter values from jobs, compromising the system's overall security.

In this post, we'll provide a detailed overview of the vulnerability, its associated exploit, and how it works. We'll also discuss mitigation strategies and provide links to original references and related material.

Exploit Details

The vulnerability specifically occurs in the Jenkins Pipeline: Build Step Plugin, which is widely used to execute one or more build steps in a pipeline project. It can be explained by the following code snippet:

node {
  withCredentials([password(credentialsId: 'example', variable: 'PASSWORD')]) {
    // BEGIN CHANGEABLE CODE
    
    // END CHANGEABLE CODE
  }
}

The Pipeline Snippet Generator allows users to generate pipeline scripts with placeholders or input parameters. However, the vulnerability lies in the non-sanitized default values for password parameters that can be revealed when generating scripts using this generator.

Attackers who have the Item/Read permission can access the Snippet Generator and generate a pipeline script for the related job. In doing so, they can potentially gain unauthorized access to the default password parameter values.

For example, when an attacker generates a pipeline script using the Snippet Generator, the following code snippet may be revealed:

node {
  withCredentials([password(credentialsId: 'example', variable: 'PASSWORD', defaultValue: 'p@sswrd')]) {
    // BEGIN CHANGEABLE CODE
    
    // END CHANGEABLE CODE
  }
}

As seen above, the default password parameter value 'p@sswrd' is exposed, which can then potentially be misused by the attacker.

- Jenkins Security Advisory: https://www.jenkins.io/security/advisory/2022-02-09/
- NVD - CVE-2022-25184: https://nvd.nist.gov/vuln/detail/CVE-2022-25184
- CloudBees: https://docs.cloudbees.com/docs/general/latest/pipeline-snippet-generator/
- Pipeline: Build Step Plugin: https://plugins.jenkins.io/build-step/

Mitigation Strategies

To mitigate the vulnerability CVE-2022-25184, users should upgrade the Jenkins Pipeline: Build Step Plugin to version 2.16 or later, which contains a fix for the vulnerability. Detailed steps to update the plugin can be found in the Jenkins User documentation: https://www.jenkins.io/doc/book/managing/plugins/#updating-plugins

In addition to updating the plugin, you should also consider the following best practices to further strengthen your Jenkins environment:

- Always remove or sanitize default password values from pipeline scripts before committing to your source code repository.
- Ensure Item/Read permissions are strictly provided to legitimate users and groups.

Conclusion

The Jenkins Pipeline: Build Step Plugin 2.15 and earlier suffers from a security vulnerability (CVE-2022-25184) that reveals password parameter default values when generating a pipeline script using the Pipeline Snippet Generator. This allows attackers with Item/Read permissions to access sensitive information from jobs. Users are advised to upgrade to version 2.16 or later and adopt best practices to ensure their Jenkins environment remains secure.

Timeline

Published on: 02/15/2022 17:15:00 UTC
Last modified on: 02/23/2022 21:10:00 UTC