CVE-2023-37965

Vulnerability

Overview

A missing permission check in Jenkins ElasticBox CI Plugin 5.0.1 and earlier enables attackers who already have Overall/Read permission to cause the plugin to connect to an attacker-controlled URL using attacker-specified credentials IDs obtained through another method [1][2]. This effectively bypass the intended authorization controls, allowing the plugin to perform an authenticated request on behalf of Jenkins with those stored credentials.

Attack

Vector and Exploitation

The attack requires the attacker to possess the Overall/Read permission, which is often granted to low-privileged users or read-only roles. Additionally, the attacker must know the credentials IDs they wish to use—these may be obtained via separate information disclosure vulnerabilities or by enumerating available credential stores [1][3]. The plugin does not validate that the user is authorized to use the specified credentials or to connect to arbitrary URLs, making the exploit straightforward once the prerequisites are met.

Impact

By successfully exploiting this vulnerability, an attacker can capture credentials stored in Jenkins, as the plugin will connect to the attacker's server and transmit the credential values in the process [1][2]. This can lead to credential theft and further compromise of the Jenkins environment, especially if the stolen credentials have elevated privileges or access to sensitive systems [3].

Mitigation

As of the Jenkins Security Advisory 2023-07-12, the ElasticBox CI Plugin has no available fix; the vulnerability remains unresolved [2]. Users are advised to either restrict the Overall/Read permission to trusted users or to disable the plugin if it is not essential. No workaround has been provided by the vendor.