CVE-2023-40347 - How a Jenkins Plugin Flaw Leaked Credentials – Explained Simply

In September 2023, the CVE-2023-40347 vulnerability was published, impacting the popular Jenkins Maven Artifact ChoiceListProvider (Nexus) Plugin versions 1.14 and earlier. This bug is serious because it lets anyone with the "Item/Configure" permission in Jenkins access secrets they were never meant to see. Let’s break down what happened, how it works, and what you can do about it, in plain language.

What Is Jenkins Maven Artifact ChoiceListProvider (Nexus) Plugin?

A long name, but the idea is simple: this Jenkins plugin lets you pull artifact (build) choices directly from a Nexus repository into your Jenkins jobs. It’s used by teams who automate software builds and releases.

To talk to Nexus, Jenkins plugins often need credentials (usernames and passwords, or tokens). Jenkins has a built-in system to *separate* and *protect* these credentials. Usually, only trusted parts of Jenkins can access sensitive secrets.

What Was The Flaw? (TL;DR)

The plugin didn’t follow good rules for checking who is allowed to access credentials. Instead of checking if the current user is supposed to use a credential *in that context*, the plugin just handed them over if you had the right to configure an item—even if the credential was supposed to be private.

This bug is called an "improper privilege assignment" problem. Attackers could trick Jenkins into giving up credentials they shouldn't be able to see.

Jenkins Security Advisory for this bug:  
SECURITY-321: Maven Artifact ChoiceListProvider does not set correct context

How Could An Attacker Exploit This?

Suppose a Jenkins user named _Eve_ (with “Item/Configure” perms, but *not* admin or credentials perms!) wants to steal a credential called “nexus-admin-password”.

Configure the artifact provider to use “nexus-admin-password” as its credential.

4. When the job runs or when the configuration is rendered, the plugin requests the credential from Jenkins—but it doesn’t properly check whether Eve is allowed to see it.

Here’s how this could look in a (simplified) snippet

// Vulnerable plugin logic (simplified example)
Credentials credentials = CredentialsProvider.findCredentialById(
    selectedCredentialId, StandardUsernamePasswordCredentials.class, item
);

// The bug: 'item' might not be the right security context.
//   So if Eve can configure 'item', she gets ANY credential.

She prints the value (since the plugin will now leak it)

# A build step Eve adds
echo "My secret: $ARTIFACT_CHOICE_PARAM"

or fetches it in some other way.

5. When the build runs, the secret is passed into the build, or printed in logs, and Eve sees the value.

How is This Possible? (Technical Dive)

In Jenkins, credentials are linked to domains and contexts—for instance, a credential might only be visible to jobs in a certain folder, or to Admins.

Safe plugins use the API like

CredentialsProvider.lookupCredentials(
    StandardUsernamePasswordCredentials.class,
    context, // usually the real context: job, system, etc
    ACL.SYSTEM // or the authenticating user!
)

…but the vulnerable versions of Maven Artifact ChoiceListProvider (Nexus) passed in a *wider* or *less restrictive* context. So, anyone who could edit an item could get any credential, even those marked as 'Hidden', 'System-only', or restricted to other users/projects.

Affected: 1.14 and earlier.

- Fixed: *No fix* as of the September 2023 advisory. The plugin was marked as “vulnerable and not maintained”.

Official References

- Jenkins Security Advisory 2023-09-06
- CVE Details - CVE-2023-40347
- Plugin site (archived)

What Should You Do Now?

- Uninstall the plugin. There’s no fixed version. If you need similar functionality, look for alternatives (see artifact-manager-s3 or Pipeline steps).
- Audit your credentials. If you used this plugin, assume any credential used *may have been leaked*.
- Restrict “Item/Configure” permission. Limit who can set up or edit Jenkins jobs.

Regularly update plugins and Jenkins core.

- Subscribe to Jenkins Security Advisories.

Summary

CVE-2023-40347 is a classic, but dangerous, flaw: a plugin that gives up credentials too easily. Even users of limited power could grab secrets from unrelated projects. Since there’s no patch, the only safe way is to remove the vulnerable plugin. Always keep plugins updated, review who can configure jobs, and watch your secrets!

If you want to dig deeper, check out the original Jenkins advisory: https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-321

Timeline

Published on: 08/16/2023 15:15:00 UTC
Last modified on: 08/18/2023 20:00:00 UTC