CVE-2023-37951

Vulnerability

Overview

The Jenkins mabl Plugin version 0.0.46 and earlier contains a vulnerability where it does not set the appropriate context for credentials lookup. This flaw allows attackers who have the Item/Configure permission to access and capture credentials they are not entitled to. The issue arises from the plugin's failure to enforce proper authorization checks when retrieving stored credentials, potentially exposing sensitive secrets.

Exploitation

An attacker with at least Item/Configure permission on a Jenkins project can exploit this vulnerability by triggering a credentials lookup operation through the plugin. Since the plugin does not restrict the context of the lookup, it may return credentials that the attacker should not have access to. The specific attack vector may involve maliciously crafted job configurations or external calls to the plugin's endpoints. No other special privileges or network position are required beyond the Item/Configure permission.

Impact

Successful exploitation allows an attacker to obtain sensitive credentials managed by Jenkins, such as API tokens, passwords, or SSH keys. These captured credentials could then be used to gain unauthorized access to other systems, escalate privileges within Jenkins, or move laterally in the infrastructure. The severity is considered a medium or high risk depending on the sensitivity of the credentials accessible.

Mitigation and

Status

The vulnerability has been fixed in mabl Plugin version 0.0.47 [1][2]. Users are strongly advised to upgrade to this version or later. There is no known workaround, and the plugin should be updated as soon as possible to prevent potential credential theft. The issue was reported as part of the Jenkins Security Advisory 2023-07-12 [1] and was also listed in the oss-security mailing list announcement [2].