CVE-2023-30525

Vulnerability

CVE-2023-30525 is a cross-site request forgery (CSRF) vulnerability in the Jenkins Report Portal Plugin, version 0.5 and earlier. The plugin does not require a CSRF token or other validation for requests that trigger connections to attacker-controlled URLs, allowing an attacker to craft a malicious request that, if executed by an authenticated Jenkins user, will cause the plugin to connect to an attacker-specified URL using an attacker-specified bearer token for authentication [1][3].

Exploitation

To exploit this vulnerability, an attacker must trick an authenticated Jenkins user into clicking a crafted link or visiting a page that triggers a CSRF request. No other privilege or authentication is required beyond the victim having an active Jenkins session. The attacker can specify both the target URL and the bearer token to be used, even if those values have no relation to the legitimate Report Portal configuration [1][2].

Impact

An attacker can leverage this CSRF to connect to an attacker-controlled service using arbitrary bearer token credentials. This could disclose information to the attacker (e.g., by sending Jenkins build or system data to a malicious endpoint) or be used to probe internal networks reachable from the Jenkins server. The severity is considered medium because it requires user interaction and does not directly lead to code execution or data corruption on the Jenkins server [1][3].

Mitigation

The Jenkins security advisory recommends updating to a version of the Report Portal Plugin that includes a fix. As of April 2023, the plugin is among those with unresolved security issues, meaning a patched version may not yet be available. Users should consider disabling the plugin or implementing CSRF protection mechanisms (such as the Jenkins CSRF token) at the network level until an update is released [1][2].