CVE-2023-41943 - Jenkins AWS CodeCommit Trigger Plugin 3..12 Vulnerability: No Permission Check in HTTP Endpoint Allows Unauthorized Queue Clearing

Introduction:
In this post, we will discuss CVE-2023-41943, a security vulnerability in the Jenkins AWS CodeCommit Trigger Plugin 3..12 and earlier. This vulnerability allows attackers with Overall/Read permission to clear the Simple Queue Service (SQS) queue unauthorizedly. We will examine the vulnerability in detail, provide a code snippet illustrating the problem, and share relevant resources and links to help developers understand and mitigate the risk.

Background

Jenkins is a popular open-source automation server that helps facilitate the continuous integration and delivery pipeline by automating tasks like building, testing, and deploying code. The Jenkins AWS CodeCommit Trigger Plugin is a Jenkins plugin that supports triggering Jenkins jobs when changes occur in AWS CodeCommit repositories. In versions 3..12 and earlier of the plugin, an issue was identified in one of the HTTP endpoints that does not perform a permission check properly.

Vulnerability Details (CVE-2023-41943)

The vulnerability occurs because the AWS CodeCommit Trigger plugin does not perform a permission check in a specific HTTP endpoint. As a result, attackers with only Overall/Read permission can initiate a request to clear the SQS queue unauthorizedly. When an attacker clears the queue, it can lead to a loss of pending messages that haven't been processed yet by Jenkins, causing disruption to the CI/CD pipeline.

Here's a code snippet illustrating the lack of a permission check in the vulnerable HTTP endpoint

@RequirePOST
public HttpResponse doClearQueue() {
    // Missing permission check!
    try {
        getDescriptor().getSqsQueue().clear();
        return HttpResponses.redirectToDot();
    } catch (IOException e) {
        LOGGER.error("Failed to clear AWS CodeCommit Trigger SQS Queue", e);
        return HttpResponses.error(500, "Failed to clear SQS Queue");
    }
}

As seen in the code above, there is no permission check in place before processing the "doClearQueue()" action.

Mitigation

To remediate this vulnerability, the plugin must be updated to introduce a permission check in the vulnerable HTTP endpoint. A check for the appropriate permission, such as Administer or Job/Configure permission, should be added before the actions associated with clearing the queue are executed. Here's an example of a code snippet after implementing the permission check:

@RequirePOST
public HttpResponse doClearQueue() {
    // Added permission check
    getACL().checkPermission(Item.CONFIGURE);
    
    try {
        getDescriptor().getSqsQueue().clear();
        return HttpResponses.redirectToDot();
    } catch (IOException e) {
        LOGGER.error("Failed to clear AWS CodeCommit Trigger SQS Queue", e);
        return HttpResponses.error(500, "Failed to clear SQS Queue");
    }
}

In the updated code snippet above, we now have a permission check in place that ensures the user has the necessary authorization to clear the queue.

Conclusion

CVE-2023-41943 is a security vulnerability affecting Jenkins AWS CodeCommit Trigger Plugin 3..12 and earlier, which allows attackers with Overall/Read permission to clear the SQS queue without proper authorization. It is essential to apply the proper security practices and guidelines when developing any software, including Jenkins and its plugins.

1. Jenkins AWS CodeCommit Trigger Plugin - https://plugins.jenkins.io/codecommit-trigger/
2. Jenkins Security Advisory - https://www.jenkins.io/security/advisory/2023-XX-XX/
3. AWS CodeCommit - https://aws.amazon.com/codecommit/
4. Jenkins - https://www.jenkins.io/

Stay tuned for more updates on this topic and other security vulnerabilities. Keep your plugins up to date and maintain strong security practices to protect your Jenkins instance and maintain a healthy CI/CD pipeline.

Timeline

Published on: 09/06/2023 13:15:11 UTC
Last modified on: 09/11/2023 18:40:55 UTC