CVE-2023-37961

Vulnerability

Overview

CVE-2023-37961 is a cross-site request forgery (CSRF) vulnerability in the Jenkins Assembla Auth Plugin, affecting versions 1.14 and earlier. The plugin fails to require a CSRF token or other anti-forgery mechanism when processing authentication requests, allowing an attacker to craft a malicious link or page that, when visited by an authenticated Jenkins user, silently logs that user into the attacker's Assembla account [1][2].

Exploitation

Prerequisites

Exploitation requires the victim to be logged into Jenkins and to interact with a crafted link or page (e.g., via social engineering). No additional privileges are needed on the Jenkins instance; the attacker only needs to host a malicious page or send a crafted URL. The attack does not require any network position beyond the ability to deliver the malicious content to the victim [1].

Impact

If successful, the attacker can hijack the victim's Jenkins session and perform actions under the attacker's Assembla identity. This could lead to unauthorized access to Assembla resources, manipulation of repositories, or exposure of sensitive data, depending on the permissions associated with the attacker's account [1][2].

Mitigation

Status

As of the advisory publication (2023-07-12), no fix was available for the Assembla Auth Plugin. The plugin is listed among those with unresolved security issues [1][2]. Users are advised to disable the plugin or restrict access to Jenkins until a patched version is released.