CVE-2023-40338 is an information disclosure vulnerability present in Jenkins Folders Plugin 6.846.v23698686ff6 and earlier versions, which could potentially allow an attacker to get information about the Jenkins controller file system. This vulnerability exists due to the display of an error message containing the absolute path of a log file when attempting to access the Scan Organization Folder Log if no logs are available.

The Jenkins Folders Plugin helps users organize items (jobs, pipelines, etc.) within groups by creating folder objects, providing an improved user experience and better administration for Jenkins. However, this vulnerability could expose sensitive information about the controller's file system, which might be utilized by attackers to exploit other potential vulnerabilities.

Code Snippet

Below is a code snippet that demonstrates how the vulnerable error message is generated when trying to access the Scan Organization Folder Log when no logs are available:

try {
    logFile = getLogFile(); // Get log file location
} catch (FileNotFoundException e) {
    errorMsg = "No logs are available at: " + e.getMessage(); // Include log file path in error message
} 

if (logFile == null) {
    // Display error message and log absolute path
    throw new IOException("Unable to access Scan Organization Folder Log: " + errorMsg);
}

As seen above, the exception FileNotFoundException is caught and the error message, which contains the absolute path of a log file, is presented to the user. This information should not be disclosed, as it reveals details about the Jenkins controller's file system structure.

Exploit Details

To exploit this vulnerability, an attacker simply needs to access the Scan Organization Folder Log in Jenkins Folders Plugin while no logs are available. This can be achieved by visiting the following Jenkins URL after logging in:

http://<jenkins_ip_address>/job/<organization_name>/foldername/scan/scanLog/

Replace <jenkins_ip_address> with the IP address or domain of your Jenkins server, <organization_name> with your organization's Jenkins name, and foldername with the name of the desired folder. If no logs are available, the attacker will receive an error message containing the log file's absolute path, disclosing information about the Jenkins controller file system.

Prevention Measures

Jenkins has already released a patched version of the Folders Plugin (version 6.847.v1e8a92d530add or later) to address this vulnerability. Users are advised to update their Jenkins plugins immediately to prevent exploitation.

Click the "Updates" tab.

5. Look for "Folders Plugin" in the available updates list, select it, and click the "Download now and install after restart" button.

After the plugin is updated and Jenkins is restarted, the vulnerability should be resolved, preventing unauthorized information disclosure.

Conclusion

CVE-2023-40338 is an information disclosure vulnerability that affects Jenkins Folders Plugin 6.846.v23698686ff6 and earlier versions. Exploiting this issue exposes details of the Jenkins controller file system. To protect your Jenkins infrastructure, it's crucial to update to the latest version of the Folders Plugin as soon as possible. Stay informed about plugin updates and monitor the Jenkins Security Advisory page for new vulnerabilities and patches.

Timeline

Published on: 08/16/2023 15:15:00 UTC
Last modified on: 08/22/2023 18:50:00 UTC