CVE-2023-24453

Vulnerability

The TestQuality Updater Plugin for Jenkins, versions 1.3 and earlier, does not perform a permission check in an unspecified feature. This allows users with only Overall/Read permission to trigger HTTP requests to an attacker-specified URL, using a username and password provided by the attacker [1][2]. The missing check means that the plugin does not verify if the user has the necessary permissions to perform such an action, effectively allowing low-privileged users to initiate network connections from the Jenkins server.

Exploitation

An attacker with Overall/Read permission can exploit this by providing a URL under their control along with a username and password. The Jenkins server will then attempt to authenticate to that URL using those credentials. No additional authentication or network access beyond Jenkins is required for the attacker; they simply need to be able to access the Jenkins instance [1][2]. The plugin does not validate that the target URL is legitimate or that the user is authorized to make such connections.

Impact

This vulnerability can be used to perform server-side request forgery (SSRF) attacks, as the Jenkins server sends a request to an arbitrary URL. Additionally, by supplying credentials, an attacker could potentially leak those credentials if the target server responds in a way that leaks information back to Jenkins, or use the Jenkins server as a proxy to authenticate to other services, potentially gaining access to sensitive systems [1][2].

Mitigation

Jenkins has released an update to the TestQuality Updater Plugin to address this issue. Users should upgrade to version 1.4 or later. There is no workaround mentioned in the advisory, so upgrading is the recommended action [1].