CVE-2023-35147

Vulnerability

Overview

Jenkins AWS CodeCommit Trigger Plugin versions 3.0.12 and earlier fail to properly validate or restrict the AWS SQS queue name path parameter in an HTTP endpoint. This allows an attacker with Item/Read permission to supply arbitrary path traversal sequences, effectively performing a path traversal attack against the Jenkins controller file system. [1][2]

Attack

Vector and Requirements

The vulnerable endpoint accepts user-controlled path input without sufficient sanitization or validation. An authenticated attacker who has only the Item/Read permission (a relatively low privilege level) can send a crafted request using directory traversal techniques to escape the intended queue name location and access files outside that scope. No additional authentication or network position is required beyond Jenkins access with Item/Read permissions. [1][2]

Impact

Successful exploitation enables the attacker to read the contents of arbitrary files stored on the Jenkins controller's file system, including sensitive configuration files, credentials, and other secrets. This could lead to full compromise of the Jenkins instance if, for example, attackers extract cryptographic keys or database passwords. [1][2]

Mitigation

Status

As of the 2023-06-14 advisory, no patched version of the plugin has been released, and the issue remains unresolved in the latest available plugin version. Administrators who cannot update to a future fixed release should restrict access to the affected endpoints, monitor for unusual requests, and limit Item/Read permissions where possible. The plugin is listed among unresolved security issues in the same advisory. [1][3]