CVE-2023-4301: Critical Cross-Site Request Forgery (CSRF) Vulnerability Discovered in Jenkins Fortify Plugin 22.1.38

Jenkins is a widely used open-source automation server that helps automate the various stages of the software development pipeline. Jenkins uses Fortify Plugin to scan applications and discover vulnerabilities that could compromise the integrity of the applications. A recent cybersecurity threat identified as CVE-2023-4301 has been discovered impacting the Jenkins Fortify Plugin 22.1.38 and earlier versions. The vulnerability is of type Cross-Site Request Forgery (CSRF), and it allows attackers to access protected Jenkins resources bypassing the security measures and stealing credentials stored in Jenkins.

Vulnerability Details

This security vulnerability exists because the Jenkins Fortify Plugin 22.1.38 and earlier do not enforce the necessary CSRF protection measures. An attacker can exploit this vulnerability by connecting to an attacker-specified URL and using attacker-specified credentials IDs, which have been obtained through another method.

The following code snippet shows the vulnerable code in Fortify Plugin

public HttpResponse doTestConnection(
                @QueryParameter String apiUrl,
                @QueryParameter String credentialId)
                throws ServletException, IOException {
...
...
}

This code is responsible for handling the connection to the Fortify API server, and it lacks CSRF protection measures, resulting in potential exploitation.

Exploit Details

To exploit this vulnerability, an attacker must obtain the valid Jenkins account's credentials IDs. Instead of acquiring these credentials through brute force or other nefarious means, the attacker connects to an attacker-specified URL using those credentials. The attacker then captures the credentials and gains unauthorized access to Jenkins. This unauthorized access allows the attacker to execute arbitrary code, modify the application's configurations and corresponding build jobs, as well as control Jenkins operation and activities.

For additional details on this vulnerability, refer to the official Jenkins security advisory

1. Jenkins Security Advisory 2023-03-01
2. CVE-2023-4301 on the NIST National Vulnerability Database

Mitigation

The Jenkins project has released a security update addressing the identified vulnerability. Users are advised to update their Jenkins Fortify Plugin to version 22.1.39 or later, which incorporates security fixes and robust CSRF protection. Users are also encouraged to regularly monitor the Jenkins security advisories and implement any recommended security practices to maintain a secure Jenkins infrastructure.

Conclusion

Cross-site request forgery vulnerabilities like CVE-2023-4301 can have severe consequences for organizations using the Jenkins automation server and Fortify Plugin. It is essential to be aware of such security threats and take timely action to patch systems and implement best-practice security measures. By understanding the risks and applying the recommended solutions, you can prevent unauthorized access to your Jenkins infrastructure and protect valuable credentials and information.

Timeline

Published on: 08/21/2023 23:15:00 UTC
Last modified on: 08/24/2023 21:36:00 UTC