CVE-2023-32979

Vulnerability

Description

The Jenkins Email Extension Plugin fails to perform a permission check in a method that implements form validation [1][2]. This oversight allows any user with the Overall/Read permission to exploit the functionality. The validation method is used to verify configurations, but in this version, it does not confirm that the user has the necessary authorization to access the underlying file system.

Exploitation

Prerequisites

An attacker must have at least the Overall/Read permission in Jenkins, which is typically granted to most authenticated users [1][2]. The attack is carried out by interacting with the form validation endpoint. The attacker can then test for the existence of arbitrary files within the email-templates/ directory located in the Jenkins home directory on the controller file system. No further authentication or network position is required beyond being a Jenkins user.

Impact

Successful exploitation reveals whether a specific file exists in that restricted directory. While this does not allow reading the file contents, it provides information that can be used to map the filesystem or identify the presence of particular template files, potentially aiding in more targeted attacks [2]. The vulnerability is considered of medium severity as it only discloses existence, not content.

Mitigation

As of the advisory date, the Jenkins project releases a fix in a newer version of the Email Extension Plugin [1]. Users should upgrade to the latest version to remove the permission bypass. No workarounds are mentioned; the standard mitigation is applying the update.