CVE-2023-37959

Vulnerability

Overview A missing permission check in Jenkins Sumologic Publisher Plugin version 2.2.1 and earlier allows attackers with Overall/Read permission to trigger an HTTP connection to an attacker-specified URL. This flaw exists because the plugin does not require any additional permission (such as Configure) for the operation, effectively permitting a low-privileged user to initiate outbound requests from the Jenkins controller [1].

Exploitation

Prerequisites An attacker only needs to have the Overall/Read permission on the Jenkins instance, which is typically granted to most users. No further authentication or special privileges are required. The attacker can then exploit this by configuring the plugin's publisher to send a request to any URL they control, without the need for any interaction from a higher-privileged user [2].

Impact

Successful exploitation allows the attacker to perform server-side request forgery (SSRF) from the Jenkins controller. This can be used to probe internal network services, access cloud metadata endpoints (e.g., AWS, Azure), or potentially exfiltrate sensitive information if the controller responds to such requests. The impact is limited to the ability to make HTTP requests, but the consequences depend on the network environment and services accessible from the Jenkins controller.

Mitigation

Status As of the advisory date (2023-07-12), no fixed version of the Sumologic Publisher Plugin has been released. Users are advised to remove or disable the plugin until an update is available. The issue is considered unresolved in the official Jenkins security advisory [1][3].