CVE-2023-41938

Vulnerability

Overview

The Jenkins Ivy Plugin, up to and including version 2.5, contains a cross-site request forgery (CSRF) vulnerability ([1], [2]). An attacker can exploit this to delete disabled modules without requiring authentication beyond tricking an authenticated Jenkins user into performing an unintended action.

Attack

Vector

The attack is performed by crafting a malicious web page or link that, when visited by an authenticated Jenkins administrator, sends a forged request to the Jenkins server. The request triggers a delete operation on disabled modules, leveraging the victim's active session. No additional privileges are needed on the attacker's part, as the victim's browser authenticates the request automatically.

Impact

Successful exploitation allows the attacker to delete disabled modules managed by the Ivy Plugin. This could disrupt build configurations, dependency management, and may result in a loss of functionality within affected Jenkins jobs that rely on those modules. The impact is limited to actions the victim can perform while authenticated, but can be severe if critical modules are removed.

Mitigation

The vulnerability is fixed in Ivy Plugin version 2.6 and later [2]. Users are strongly advised to update their plugin to the latest version. Jenkins released a security advisory on 2023-09-06 detailing this and other vulnerabilities [1]. No workaround is available other than upgrading.