CVE-2023-24432

Vulnerability

Description

A cross-site request forgery (CSRF) vulnerability exists in the Jenkins Orka by MacStadium Plugin version 1.31 and earlier [1]. The plugin does not properly validate HTTP requests, allowing an attacker to trick a Jenkins user into performing unintended actions. Specifically, the attacker can craft a malicious request that connects to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method [2].

Exploitation

Preconditions

To exploit this vulnerability, an attacker must have permission to read (or otherwise obtain) credential IDs stored in Jenkins, for example via another vulnerability or social engineering. The attacker then tricks an authenticated Jenkins user with at least Overall/Read permission into clicking a crafted link or visiting a malicious page. The attack does not require the user to have special permissions beyond the default read access [1].

Impact

Successful exploitation allows the attacker to capture credentials stored in Jenkins by forwarding them to an attacker-controlled HTTP server. This can lead to unauthorized access to other systems and services that use those credentials, potentially resulting in further compromise [2].

Mitigation

The vulnerability is fixed in Orka by MacStadium Plugin version 1.32 [1]. Users are advised to upgrade immediately. There is no known workaround; disabling the plugin or restricting access to Jenkins may reduce risk but not fully eliminate the vulnerability.