CVE-2023-49673

Vulnerability

Description

A cross-site request forgery (CSRF) vulnerability exists in the Jenkins NeuVector Vulnerability Scanner Plugin version 1.22 and earlier [1][2]. The plugin's configuration form does not require a CSRF token or perform origin validation, enabling an attacker to trick an authenticated Jenkins user into submitting a malicious request. This results in the plugin connecting to an attacker-specified hostname and port using attacker-specified username and password [3].

Exploitation

Prerequisites

Exploitation requires that an authenticated Jenkins user with the ability to access the plugin's configuration page triggers a crafted request, typically by visiting a malicious site hosting the CSRF exploit [3]. No additional privileges beyond the victim's session are needed, though the attacker must know or guess the Jenkins instance URL and have network reachability to the victim's Jenkins instance.

Potential

Impact

An attacker who successfully exploits this vulnerability can force the NeuVector plugin to connect to an arbitrary external host with credentials chosen by the attacker [2]. This could be used to probe internal network ports or initiate unauthorized connections, potentially exfiltrating Jenkins credentials if the attacker-controlled host mimics a legitimate service.

Mitigation

The vulnerability has been fixed in NeuVector Vulnerability Scanner Plugin version 2.2 [4]. Users should upgrade to this release or later. No workarounds are documented; as a general precaution, administrators may restrict plugin configuration access to trusted users only [3].