CVE-2023-24447

Vulnerability

Overview A cross-site request forgery (CSRF) vulnerability exists in Jenkins RabbitMQ Consumer Plugin version 2.8 and earlier. The plugin fails to require a CSRF token for requests that configure the AMQP(S) connection parameters, allowing an attacker to trick an authenticated Jenkins administrator into submitting a malicious request.

Exploitation

An attacker can craft a malicious link or web page that, when visited by a Jenkins administrator with the necessary permissions, triggers a request to the Jenkins instance that configures the RabbitMQ Consumer Plugin. This request includes attacker-specified AMQP(S) URL and credentials. The attacker does not need prior authentication or privileges on the Jenkins instance, but the victim must be logged in to Jenkins.

Impact

Successful exploitation allows the attacker to redirect Jenkins to an arbitrary AMQP(S) endpoint under their control, using attacker-supplied credentials. This could enable the attacker to intercept or manipulate messages intended for the legitimate AMQP server, potentially leading to information disclosure or further compromise of the Jenkins environment.

Mitigation

The vulnerability has been fixed in RabbitMQ Consumer Plugin version 2.9. Users are advised to upgrade to this version or later. No workarounds have been provided by the vendor. This issue is tracked in the Jenkins security advisory 2023-01-24 [1] and CVE-2023-24447 [2].