CVE-2023-24433

Vulnerability

Overview

The Jenkins Orka by MacStadium Plugin versions 1.31 and earlier contain missing permission checks. This flaw allows users with only Overall/Read permission to initiate connections to an attacker-specified HTTP server using attacker-chosen credential IDs. The plugin does not verify that the user has the necessary permissions to use those credentials, leading to unauthorized credential exposure [1][2].

Exploitation

Prerequisites

An attacker must have Overall/Read permission on the Jenkins instance, which is a low-privilege role. Additionally, they need to obtain valid credential IDs through another method, such as exploiting a separate vulnerability or enumerating existing credentials. Once obtained, the attacker can configure the plugin to send those credentials to an external server they control, effectively exfiltrating them [1][2].

Impact

Successful exploitation allows the attacker to capture credentials stored in Jenkins. These credentials could include API tokens, SSH keys, or other secrets, potentially leading to further compromise of Jenkins and connected systems, such as source code repositories or cloud infrastructure [1][2].

Mitigation

The Jenkins Security Advisory published on 2023-01-24 recommends updating the Orka by MacStadium Plugin to a version that includes the necessary permission checks. Users should also review and restrict Overall/Read permissions to trusted users only. No workaround is mentioned, so upgrading is the primary remediation [1].