CVE-2023-37949

Vulnerability

Overview

CVE-2023-37949 is a missing permission check vulnerability in the Jenkins Orka by MacStadium Plugin, affecting versions 1.33 and earlier. The plugin fails to verify that a user has the appropriate permissions before performing an action that connects to an attacker-specified URL using attacker-specified credentials IDs [1][3]. This allows an attacker with only Overall/Read permission (typically a low-privilege role) to trigger a connection to an external URL of their choice, using credentials IDs that were obtained through another method.

Exploitation and

Attack Surface

To exploit this vulnerability, an attacker must have Overall/Read permission on the Jenkins instance, which is commonly granted to non-administrative users. The attacker also needs to have obtained valid credentials IDs through other means, such as via a separate information disclosure flaw or prior reconnaissance. Once these prerequisites are met, the attacker can induce the plugin to connect to a URL they control, effectively making a request that carries the selected credentials [1]. No additional authentication is required for the vulnerable action.

Impact

If the attacker-controlled URL is an HTTP/HTTPS endpoint, the Jenkins controller will transmit the credentials in the request. This can lead to the capture of sensitive credentials stored in Jenkins, including those for source code repositories, cloud services, or other integrated systems. The impact is considered high because it allows unauthorized credential exfiltration from a low-privilege starting point.

Mitigation

The vulnerability is addressed in Orka by MacStadium Plugin version 1.34 by adding the missing permission check [2]. Users are advised to upgrade to this version or later. There are no known workarounds for this issue; the only remediation is to update the plugin. This vulnerability is not listed as known exploited in the wild as of the advisory date [2].