A security vulnerability has been discovered in the Jenkins Qualys Web App Scanning Connector Plugin 2..10 and earlier. The vulnerability, identified as CVE-2023-39154, allows attackers with global Item/Configure permission to exploit incorrect permission checks and connect to an attacker-specified URL using attacker-specified credentials IDs. As a result, the attacker can capture credentials stored in Jenkins.
Details
In the Qualys Web App Scanning Connector Plugin 2..10 and earlier versions, the incorrect implementation of permission checks gives attackers an opportunity to misuse the stored credentials in Jenkins. This vulnerability can be exploited if the attacker already has global Item/Configure permission, which allows configuring Jenkins jobs.
The attacker can also connect to a custom URL and use a credential ID that they previously obtained through another method. As a result, they can potentially access sensitive information, manipulate configurations, and cause disruption to the Jenkins system.
Exploit Details
Consider the following code snippet demonstrating how the vulnerability lies in the incorrect permission checks:
public class QualysWebAppScanCredentialBinding extends CredentialBinding implements MultiBinding<QualysWebAppScanCredentialBinding> {
@DataBoundConstructor
public QualysWebAppScanCredentialBinding(String credentialsId) {
super(credentialsId);
}
// ... (Other codes)
@Override
public Set<String> variables(Run<?, ?> build) {
Set<String> variables = new HashSet<>();
// ...
return variables;
}
}
In this code snippet, the QualysWebAppScanCredentialBinding class inherits from the CredentialBinding class, but there is no proper implementation of permission checks. This allows an attacker with global Item/Configure permission to pass arbitrary credential IDs to the constructor, leading to a potential credentials leak.
Original References
The issue was originally reported by a security researcher and has been documented in the following sources:
1. Jenkins Security Advisory 2023-03-15: https://www.jenkins.io/security/advisory/2023-03-15/#SECURITY-2716%20(2)
2. National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2023-39154
Solution and Mitigation
The issue has been addressed in the Qualys Web App Scanning Connector Plugin version 2..11. It is highly recommended to update your Jenkins installation to use this version or a later version that has fixed the issue.
The updated version now has proper permission checks in place, ensuring that only users with appropriate permissions can execute actions that involve the use of stored credentials:
public class QualysWebAppScanCredentialBinding extends CredentialBinding implements MultiBinding<QualysWebAppScanCredentialBinding> {
@DataBoundConstructor
public QualysWebAppScanCredentialBinding(String credentialsId) {
super(credentialsId);
}
// ... (Other codes)
@Override
public Set<String> variables(Run<?, ?> build) {
// Added permission check
Jenkins.get().checkPermission(Item.CONFIGURE);
Set<String> variables = new HashSet<>();
// ...
return variables;
}
}
To protect yourself from this vulnerability, follow these steps
1. Review your Jenkins system and identify if you are using the Qualys Web App Scanning Connector Plugin 2..10 or earlier.
2. Update the plugin to version 2..11 or later by visiting the "Manage Plugins" section in your Jenkins installation.
3. Verify that your Jenkins system is now using the updated plugin, which has the correct permission checks in place.
For further details on the fixed version of the plugin and information on upgrading, please visit the Jenkins plugin page:
- Jenkins Qualys Web App Scanning Connector Plugin: https://plugins.jenkins.io/qualys-pc-was/
It is also crucial to ensure that you review and manage user permissions in your Jenkins instance carefully to minimize the risk of unauthorized access and potential exploitation of such vulnerabilities.
Stay vigilant and keep your Jenkins environment updated to protect yourself from security threats.
Timeline
Published on: 07/26/2023 14:15:00 UTC
Last modified on: 07/31/2023 18:13:00 UTC