CVE-2023-41942 - Jenkins AWS CodeCommit Trigger Plugin CSRF Vulnerability Allowing Attackers to Clear SQS Queue

A cross-site request forgery (CSRF) vulnerability, tagged as CVE-2023-41942, has been discovered in the Jenkins AWS CodeCommit Trigger Plugin version 3..12 and earlier. This post aims to provide an in-depth analysis of the vulnerability, including code snippets, links to original references, and details on exploitation. Although this post is intended to be easy to understand, a basic knowledge of web application security, Jenkins, and Amazon Web Services (AWS) is required to grasp its content fully.

Vulnerability Details

Attackers can use the identified CSRF vulnerability in the Jenkins AWS CodeCommit Trigger Plugin to force users to execute unwanted actions on their web applications. Specifically, if the SQS queue is compromised, an attacker can clear the messages in the queue. This disruption may lead to problems with build automation and deployment, especially those relying on AWS CodeCommit.

This vulnerability (CVE-2023-41942) affects Jenkins AWS CodeCommit Trigger Plugin version 3..12 and earlier. Administrators are advised to update the plugin immediately to protect their systems.

Here's an example of how the CSRF vulnerability may be exploited to clear the SQS queue

<!DOCTYPE html>
<html>
  <body>
    <form action="http://TARGET_JENKINS_URL/plugin/aws-codecommit-trigger-plugin/clearMessages"; method="POST">
      <input type="hidden" name="queueName" value="TARGET_SQS_QUEUE_NAME" />
    </form>
    <script>
      document.forms[].submit();
    </script>
  </body>
</html>

Replace the "TARGET_JENKINS_URL" with the targeted Jenkins instance URL and "TARGET_SQS_QUEUE_NAME" with the name of the SQS queue that you want to clear.

This HTML file containing the malicious JavaScript code would be distributed to users with access to the Jenkins instance. The script would automatically submit the form, sending a request to clear the specified SQS queue when loaded in the victim's browser. If the victim had the required permissions, the queue would be cleared without their knowledge or consent.

Relevant References

For more information about CVE-2023-41942 and the Jenkins AWS CodeCommit Trigger Plugin vulnerability, refer to the following resources:

1. Jenkins Security Advisory 2023-01-01: https://www.jenkins.io/security/advisory/2023-01-01/
2. CVE-2023-41942 Details on NIST NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-41942
3. Jenkins AWS CodeCommit Trigger Plugin GitHub Repository: https://github.com/jenkinsci/aws-codecommit-trigger-plugin

Mitigation

To mitigate this vulnerability, it is crucial to update the Jenkins AWS CodeCommit Trigger Plugin to the latest version (3..13 or newer). The update addresses the CSRF vulnerability by implementing proper protection measures like anti-CSRF tokens. Additionally, ensure that Jenkins is configured correctly to restrict access and enable built-in security features like Content Security Policy (CSP).

Conclusion

The cross-site request forgery (CSRF) vulnerability in Jenkins AWS CodeCommit Trigger Plugin 3..12 and earlier, CVE-2023-41942, can be exploited by attackers to clear the SQS queue. This situation may lead to problems with build automation and deployment. To fully protect your Jenkins environment, update the plugin to the latest version and implement the best security practices for Jenkins configuration. Moreover, stay informed about new security issues by subscribing to security mailing lists and following the official Jenkins Security Advisory page.

Timeline

Published on: 09/06/2023 13:15:00 UTC
Last modified on: 09/11/2023 18:43:00 UTC