A recent vulnerability has been discovered in Jenkins Delphix Plugin versions 3..2 and earlier versions (CVE-2023-40344). This vulnerability allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

In this post, we'll discuss the details of this vulnerability, provide a code snippet to show how it can be exploited, and share the original references for further information.

Exploit Details

This vulnerability exists due to a missing permission check in the Jenkins Delphix Plugin. The lack of a proper permission check means that users with just Overall/Read permission can list the credential IDs of stored credentials in Jenkins. These credential IDs can then be utilized by an attacker to perform further malicious activities within the target system.

To give you an example, suppose the following code snippet is executed by a user with Overall/Read permission:

import requests

url = "http://<jenkins_server>/descriptorByName/org.jenkinsci.plugins.delphix.DelphixGlobalListCredentials/list";

response = requests.get(url, auth=('user', 'password'))

print(response.text)

In the code snippet above, the user sends an HTTP GET request to the target URL, which is the Jenkins server running the Delphix plugin. If the vulnerable plugin is installed, this request would return the list of credential IDs, even though the user only has Overall/Read permission and should not have access to such sensitive information.

1. Jenkins Security Advisory: https://www.jenkins.io/security/advisory/2023-01-10/#SECURITY-2694%20(2%20Privilege%20escalation)
2. CVE Record: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40344

Mitigation

The vulnerability has been addressed in Jenkins Delphix Plugin version 3..3. It is strongly recommended that affected users update to the latest version as soon as possible.

In conclusion, this vulnerability highlights the importance of proper permission checks in web applications. Regularly reviewing and updating plugins, as well as implementing appropriate security controls, can significantly reduce the risk of such vulnerabilities being exploited by attackers.

Timeline

Published on: 08/16/2023 15:15:00 UTC
Last modified on: 08/18/2023 20:01:00 UTC