CVE-2023-24448

Overview

CVE-2023-24448 is a missing permission check vulnerability in the Jenkins RabbitMQ Consumer Plugin. Versions 2.8 and earlier do not properly validate that a user has the necessary permissions before allowing them to configure an AMQP(S) connection. This flaw stems from the absence of a required permission check in the plugin's code.

Exploitation

An attacker who already possesses the Overall/Read permission in Jenkins (a low-privilege permission) can exploit this vulnerability. The attacker can specify an arbitrary AMQP(S) URL, along with a username and password of their choice. No further authentication is needed beyond the initial Overall/Read access. The attack can be carried out remotely by sending crafted requests to the Jenkins controller.

Impact

By exploiting this issue, an attacker can force the Jenkins controller to connect to a malicious AMQP(S) server under the attacker's control. This could lead to data exfiltration if the plugin exchanges sensitive information over the connection, or potentially enable further attacks on the Jenkins environment.

Mitigation

The vulnerability is fixed in RabbitMQ Consumer Plugin version 2.9 or later. Users should upgrade to the latest version. No workarounds are provided, and the issue is not currently listed in the Known Exploited Vulnerabilities (KEV) catalog. [1][2]