CVE-2023-30526

A missing permission check in Jenkins Report Portal Plugin 0.5 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified bearer token authentication [1][3]. This vulnerability arises because the plugin does not properly validate that the user requesting to connect to an external service has the required permissions beyond Overall/Read.

An attacker with Overall/Read permission can exploit this by specifying a malicious URL and a bearer token of their choice. The plugin will then make a request to that URL with the attacker-controlled token, potentially enabling data exfiltration or interaction with external systems [1]. The attack does not require any additional authentication checks for the target URL.

The impact is that an attacker can use the Jenkins server as a proxy to connect to arbitrary services, using attacker-supplied credentials. This could lead to unauthorized access to external resources or leakage of internal network information. The attacker cannot directly execute code, but can initiate outbound connections.

Jenkins has released a security advisory for this vulnerability [1]. Users should upgrade to a fixed version of the Report Portal Plugin (0.6 or later) to mitigate the issue. As a workaround, administrators can restrict Overall/Read permissions to trusted users only.