CVE-2023-37964

Vulnerability

Overview

CVE-2023-37964 is a cross-site request forgery (CSRF) vulnerability in the Jenkins ElasticBox CI Plugin, affecting version 5.0.1 and earlier. The plugin performs actions that are not protected against CSRF, meaning an attacker can craft a malicious request that, when executed by an authenticated Jenkins user, causes the plugin to connect to an attacker-controlled URL using attacker-specified credentials IDs [1][2].

Exploitation

Exploitation requires that the attacker first obtain valid credentials IDs through another method (e.g., another vulnerability or information disclosure). The attacker then crafts a CSRF attack (e.g., via a malicious link or hosted page) that, when visited by a Jenkins user with the plugin installed, triggers a request to the attacker's server using those credentials. The user does not need special permissions beyond being logged into Jenkins [1][3].

Impact

A successful attack allows the attacker to capture credentials stored in Jenkins, as the plugin sends them to the attacker-specified URL. This can lead to compromise of credential stores and lateral movement within environments using those credentials [1][2].

Mitigation

As of the advisory, no fixed version of the ElasticBox CI Plugin has been released, and the plugin is listed among those with unresolved security issues. Users are advised to either disable the plugin or limit access to Jenkins until a patch is available [1][2].