A critical security vulnerability has been discovered in Jenkins Job Configuration History Plugin version 1227.v7a_79fc4dc01f and earlier. The vulnerability, assigned the identifier CVE-2023-41932, is the result of the plugin not restricting 'timestamp' query parameters in several endpoints. This could allow an attacker to delete directories on the Jenkins controller file system, provided they contain a file named 'history.xml.'

Background

Jenkins is an open-source automation server that helps developers automate various tasks related to building, testing, and deploying code. One of the popular plugins for Jenkins is the Job Configuration History Plugin. This plugin saves and tracks changes made to job configurations. It provides a visual interface for users to access the saved history and make comparisons between different versions of the configuration files.

Technical Details

The vulnerability found in the Jenkins Job Configuration History Plugin is due to the lack of restrictions on the 'timestamp' query parameters in multiple endpoints. This allows an attacker with permission to access these endpoints to specify directory paths that they want to target for deletion.

The following code snippet demonstrates the issue

// Vulnerable code in Jenkins Job Configuration History Plugin
public void doPost(StaplerRequest req, StaplerResponse rsp) {
    String timestamp = req.getParameter("timestamp");
    if (timestamp != null) {
        // The input 'timestamp' is not properly sanitized or restricted,
        // allowing an attacker to target and delete any directory containing the 'history.xml' file
        deleteConfig(timestamp);
    }
}

As a result, an attacker can potentially delete important data on the Jenkins controller file system. This can result in a Denial of Service (DoS) condition, where the affected Jenkins instance becomes inoperable or suffers from significant service degradation.

Impact

This vulnerability poses a significant risk to organizations using Jenkins with the Job Configuration History plugin installed. If successfully exploited, an attacker could delete critical directories on the Jenkins controller file system, leading to data loss and potential service disruption.

Mitigation

It is strongly recommended that users running the Jenkins Job Configuration History Plugin version 1227.v7a_79fc4dc01f or earlier update their plugin to the latest version immediately. As a temporary workaround, users can also restrict access to affected endpoints by implementing firewall rules or other access control mechanisms.

For additional information, refer to the following official Jenkins security advisory

- Jenkins Security Advisory 2023-02-15

Conclusion

The discovery of CVE-2023-41932 in the Jenkins Job Configuration History Plugin underscores the importance of regular security audits and updates for third-party plugins and applications. Organizations that rely on Jenkins for their CI/CD pipelines should ensure they follow best practices for securing their Jenkins installations, including keeping all software components up to date and applying appropriate access controls.

Timeline

Published on: 09/06/2023 13:15:00 UTC
Last modified on: 09/11/2023 20:07:00 UTC