CVE-2023-41946

Vulnerability

Overview

A cross-site request forgery (CSRF) vulnerability exists in Jenkins Frugal Testing Plugin version 1.1 and earlier. The plugin fails to validate that requests to connect to Frugal Testing originate from a legitimate Jenkins user session, allowing an attacker to trick an authenticated administrator into unknowingly executing actions [1][2][3].

Attack

Vector

To exploit this vulnerability, an attacker must craft a malicious web page or email that, when accessed by a Jenkins user with the necessary permissions, triggers a forged request. The request uses attacker-specified credentials to connect to Frugal Testing. If those credentials correspond to a valid Frugal Testing account, the plugin will retrieve test IDs and names associated with that account and send them back to the attacker [1][3]. No direct authentication on the Jenkins side is bypassed; rather, the victim's browser performs the action on their behalf.

Impact

Successful exploitation allows an attacker to extract sensitive information from Frugal Testing, namely test IDs and names, provided they know or can guess valid credentials for a Frugal Testing user. This information could aid in further targeted attacks or data exposure. The plugin itself does not store credentials; they are supplied by the attacker in the CSRF request [2][3].

Mitigation

As of the Jenkins Security Advisory 2023-09-06, no fix has been released for the Frugal Testing Plugin. The plugin is listed as having an unresolved security issue [2]. Users are advised to disable the plugin or restrict access to Jenkins to trusted users until a patched version becomes available.