CVE-2023-24435

Summary

A missing permission check in Jenkins GitHub Pull Request Builder Plugin 1.42.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credential IDs, potentially capturing credentials.

Details

The plugin fails to perform a permission check when connecting to external URLs using attacker-specified credential IDs. Attackers with Overall/Read permission (a low-level privilege) can exploit this by providing a malicious URL and credential IDs obtained through other means (e.g., credential ID enumeration or another vulnerability). The plugin then connects to that URL using those credentials, effectively exfiltrating the credentials to an attacker-controlled server [3].

The GitHub Pull Request Builder Plugin is deprecated and no longer maintained. Its repository acknowledges known security vulnerabilities and recommends migration to the GitHub Branch Source Plugin [2]. Because no patch will be released, users must manually upgrade to the replacement plugin.

Impact

Successful exploitation allows an attacker to capture credentials stored in Jenkins, which may include sensitive tokens, passwords, or keys. These credentials could be used to gain broader access to Jenkins resources or external systems.

Mitigation

The only mitigation is to stop using the deprecated GitHub Pull Request Builder Plugin and migrate to the GitHub Branch Source Plugin as advised by the vendor [2]. No patches are available for the affected versions.