CVE-2023-24446

Vulnerability

Overview

Jenkins OpenID Plugin 2.4 and earlier is vulnerable to a cross-site request forgery (CSRF) attack [1][2]. The vulnerability arises because the plugin does not properly validate or require a unique, unpredictable token for authentication state-changing requests, allowing an attacker to forge requests on behalf of an authenticated user.

Exploitation

An attacker can exploit this CSRF vulnerability by crafting a malicious link or webpage that, when visited by a Jenkins user, automatically triggers a login request to the attacker's own OpenID provider [1]. The attack requires no special privileges beyond the ability to host a malicious page and convince a valid Jenkins user to click the link, typically via social engineering or embedding in a trusted site. The user must be already logged into Jenkins for the attack to succeed [1].

Impact

Successful exploitation causes the victim to be logged into the attacker's OpenID account within Jenkins [1][2]. This can lead to unauthorized actions performed under the attacker's identity, potentially allowing the attacker to gain access to the victim's session or perform actions as the attacker [1]. The impact is limited to the attacker's own account context, but it can still compromise the integrity of user sessions and lead to further abuse.

Mitigation

Jenkins has addressed this vulnerability in OpenID Plugin version 2.5 by implementing proper CSRF protection [1]. Users should upgrade to this version or later. No workarounds are provided [1].