CVE-2023-37958

What the vulnerability is

CVE-2023-37958 is a cross-site request forgery (CSRF) vulnerability in the Jenkins Sumologic Publisher Plugin, version 2.2.1 and earlier [1][2]. The plugin does not perform any CSRF protection checks on its form submission endpoints, allowing an attacker to craft a malicious request that, when executed by an authenticated Jenkins user, causes the plugin to connect to a URL of the attacker's choice [1]. The root cause is the lack of a CSRF token or similar validation mechanism in the plugin's web interface.

How it is exploited

To exploit this vulnerability, an attacker must trick a Jenkins user with at least Overall/Read permission (or any permission that allows accessing the Jenkins web UI) into clicking a crafted link or visiting a malicious page while authenticated to Jenkins [1][2]. No special privileges are required beyond a valid session. The attacker-specified URL can be any reachable endpoint, including internal or external systems [1]. Because the request is made in the context of the victim's session, it bypasses any network-based restrictions that the attacker might otherwise face.

Impact

An attacker can force the Jenkins controller to connect to an attacker-controlled URL [1]. This can be used to exfiltrate data, trigger outbound connections for reconnaissance, or interact with internal services that the Jenkins server can reach. The impact is limited by the attacker's ability to define only the URL (not arbitrary parameters), but it still enables server-side request forgery (SSRF) scenarios and potential data leakage [1].

Mitigation

As of the Jenkins Security Advisory 2023-07-12, no patch is available for the Sumologic Publisher Plugin [1][2]. The plugin is listed among unresolved security issues, meaning the vendor has not released a fix. Administrators should consider disabling or removing the plugin if it is not essential, or restrict network access from the Jenkins controller to prevent exploitation [1][2].