CVE-2023-24436

Vulnerability

Overview

CVE-2023-24436 is a missing permission check in the Jenkins GitHub Pull Request Builder Plugin versions 1.42.2 and earlier. The plugin fails to verify that a user has the necessary permissions before exposing credential IDs, allowing any attacker with the Overall/Read permission to enumerate the IDs of credentials stored in Jenkins [1][4].

Exploitation

An attacker must have at least Overall/Read permission on the Jenkins instance, which is a relatively low privilege. No further authentication is required beyond that. The attacker can then leverage this missing check to list credential IDs, potentially identifying which credentials are available for further attacks [1].

Impact

While credential IDs alone do not reveal the secret values, they provide attackers with critical information for targeted attacks. Knowing the IDs allows an attacker to reference specific credentials in other exploits or social engineering, increasing the risk of credential theft or misuse [1][4].

Mitigation

The GitHub Pull Request Builder Plugin is deprecated and no longer maintained, as noted in its repository [3]. Users are strongly advised to migrate to the GitHub Branch Source Plugin, which is the recommended replacement. No patch is available for this vulnerability; the only mitigation is to remove or replace the plugin [3].