Jenkins, a popular open-source automation server, is widely used for performing various automation tasks such as building, testing, and deploying applications. Jenkins has a vast ecosystem of plugins, which extend its capabilities. One such plugin, Maven Artifact ChoiceListProvider (Nexus) Plugin, is used for creating parameters fetching Maven artifacts from Nexus repositories.

In this post, we will analyze CVE-2023-40347, a vulnerability found in Jenkins Maven Artifact ChoiceListProvider (Nexus) Plugin 1.14 and earlier versions. We will discuss the issue in detail, explain the exploit, and provide remediation recommendations.

Vulnerability Summary

CVE-2023-40347 is a security vulnerability that affects the Jenkins Maven Artifact ChoiceListProvider (Nexus) Plugin 1.14 and earlier. The plugin fails to set the appropriate context for credentials lookup, which allows attackers with Item/Configure permission to access and capture credentials they are not entitled to.

Vulnerability Details

The root cause of this vulnerability is the lack of proper context when looking up credentials. When the plugin fetches Maven artifacts, it should restrict access to only those credentials that the user is authorized to use. However, the plugin does not do this, allowing unauthorized users to access and steal sensitive credentials.

Here is a code snippet illustrating the vulnerable part of the plugin

// Vulnerable code in the MavenArtifactChoiceListProvider (Nexus) Plugin

public ListBoxModel doFillCredentialsIdItems() {
  return new StandardListBoxModel()
      .withEmptySelection()
      .withMatching(
          CredentialsMatchers.instanceOf(UsernamePasswordCredentials.class),
          CredentialsProvider.lookupCredentials(
              StandardUsernamePasswordCredentials.class,
              Jenkins.getInstance(),
		))};


In the code snippet above, the plugin fetches all credentials of the StandardUsernamePasswordCredentials class without setting any context or restrictions, leading to the exposure of all credentials to unauthorized users.

Original References

1. NVD - CVE-2023-40347
2. Jenkins Security Advisory - 2023-03-20

An attacker exploiting this vulnerability can perform the following steps

1. Gain Item/Configure permission on the Jenkins server.
2. Create a job, and configure it to use the Maven Artifact ChoiceListProvider (Nexus) Plugin as a parameter.
3. The attacker can now view all credentials available in the system, including those they do not have permission to access.

To address this vulnerability, the following steps should be taken

1. Update the Maven Artifact ChoiceListProvider (Nexus) Plugin to version 1.15 or later, which addresses the vulnerability by setting the correct context for credentials lookup. The updated code snippet is as follows:

// Fixed code in the MavenArtifactChoiceListProvider (Nexus) Plugin

public ListBoxModel doFillCredentialsIdItems(StaplerRequest req) {
  return new StandardListBoxModel()
      .withEmptySelection()
      .withMatching(
          CredentialsMatchers.instanceOf(UsernamePasswordCredentials.class),
          CredentialsProvider.lookupCredentials(
              StandardUsernamePasswordCredentials.class,
              Jenkins.getInstance(),
              req.getAuthentication(),
              new ArrayList<DomainRequirement>()
		))};

2. Limit the access of users to Item/Configure permission and only grant it to trusted individuals.
3. Regularly review and update credentials, as well as privileges for users within your Jenkins server to minimize the risk of exploitation.

Conclusion

CVE-2023-40347 is a critical vulnerability in the Jenkins Maven Artifact ChoiceListProvider (Nexus) Plugin 1.14 and earlier versions. By properly configuring and updating the plugin and limiting user access, you can protect your Jenkins server from this vulnerability and secure your sensitive credentials.

Timeline

Published on: 08/16/2023 15:15:00 UTC
Last modified on: 08/18/2023 20:00:00 UTC