CVE-2023-41942

Vulnerability

Overview

CVE-2023-41942 is a cross-site request forgery (CSRF) vulnerability found in the Jenkins AWS CodeCommit Trigger Plugin, affecting versions 3.0.12 and earlier. The root cause is the absence of CSRF protection on a specific endpoint, which allows an attacker to forge requests on behalf of an authenticated Jenkins user [1].

Exploitation

To exploit this vulnerability, an attacker must trick a Jenkins user with access to the plugin into clicking a malicious link or visiting a crafted website. No additional authentication is required beyond the victim's active session; the attacker can then perform unauthorized actions as that user [2].

Impact

If successfully exploited, the attacker can clear the Amazon SQS queue associated with the AWS CodeCommit Trigger plugin. This action could disrupt automated build triggers that rely on SQS notifications, potentially causing denial of service or preventing code commits from initiating builds [1][2].

Mitigation

Status

The Jenkins project has acknowledged this vulnerability, but as of the advisory date (2023-09-06), no patch has been released. The plugin remains without a fix, and users are advised to restrict plugin usage or implement workarounds such as additional access controls [2].