CVE-2023-35148

Overview

A cross-site request forgery (CSRF) vulnerability exists in the Jenkins Digital.ai App Management Publisher Plugin version 2.6 and earlier. The plugin fails to properly validate and protect against CSRF attacks, allowing an attacker to trick a Jenkins user into making a request that connects to an attacker-controlled URL. This can lead to the exposure of credentials stored in Jenkins when the connection is made [1][2].

Exploitation

To exploit this vulnerability, an attacker must first craft a malicious link or page that, when visited by a Jenkins user with the required permissions, triggers a forged request. The CSRF attack does not require authentication on the part of the attacker but does rely on a user with appropriate privileges (e.g., Job/Configure) to interact with the crafted page. The plugin in version 2.6 and earlier does not include CSRF protection tokens or other mechanisms to verify the origin of requests, making it susceptible to this attack vector [1][3].

Impact

Successful exploitation allows the attacker to direct the Jenkins instance to connect to an arbitrary external URL. Because Jenkins stores credentials (such as API tokens, passwords, or SSH keys) and may include them in the connection, the attacker can intercept these credentials. This could lead to further compromise of the Jenkins environment and any systems accessible with those credentials [2].

Mitigation

Jenkins has released Digital.ai App Management Publisher Plugin version 2.7, which addresses this vulnerability by adding proper permission checks to form validation methods [4]. Users are strongly encouraged to upgrade to version 2.7 or later. No workaround is available for versions 2.6 and earlier [1]. This vulnerability has not been reported as exploited in the wild as of the advisory date.