CVE-2023-37956

Vulnerability

Description

The Jenkins Test Results Aggregator Plugin versions 1.2.13 and earlier contain a missing permission check in a function that allows connecting to an arbitrary URL. This flaw means that any user with the Overall/Read permission can trigger the plugin to make a network request to a URL they control, using credentials they supply [1][3].

Exploitation

Prerequisites

An attacker only needs the Overall/Read permission, which is typically granted to most users in a Jenkins environment. No additional authentication or network position is required. The attacker can specify both the target URL and the credentials (e.g., basic auth username/password) to be used in the request [1][3].

Impact

This vulnerability can be leveraged for server-side request forgery (SSRF) attacks, enabling the attacker to probe internal services, exfiltrate data, or interact with external systems from the Jenkins controller. Additionally, by providing attacker-controlled credentials, the attacker might attempt to capture or replay credential material [3].

Mitigation

Status

As of the Jenkins Security Advisory 2023-07-12, this plugin is listed as an unresolved security issue; no patched version has been released [2]. Users should consider removing or disabling the plugin if not essential, or restrict the Overall/Read permission to trusted users only [1].