CVE-2023-49674

Missing

Permission Check in NeuVector Vulnerability Scanner Plugin

[1][2][4] CVE-2023-49674 describes a missing permission check in the Jenkins NeuVector Vulnerability Scanner Plugin versions 1.22 and earlier. The plugin fails to verify that a user has the necessary permissions (beyond the basic Overall/Read) before allowing outgoing connections configured through the plugin's settings.

Exploitation

[1][2][3][4] An attacker who has only Overall/Read permission—a relatively low-level access that is often granted broadly—can exploit this flaw. The attacker can specify an arbitrary hostname and port, along with a username and password of their choice. The plugin will then attempt to connect to that external endpoint using the attacker-supplied credentials, essentially allowing the attacker to perform a server-side request forgery (SSRF) style attack or to test credentials against arbitrary services.

Impact

[1][2][3][4] Successful exploitation enables the attacker to probe networks or services reachable from the Jenkins controller. By providing their own credentials and target, the attacker can conduct reconnaissance on internal or external services, potentially leading to credential exposure or further compromise if the target service accepts the attacker-supplied credentials.

Mitigation

[3][4] The NeuVector Vulnerability Scanner Plugin version 2.2 fixes this missing permission check by enforcing proper authorization before allowing such connections. Users are advised to update to version 2.2 or later. The vulnerability is also addressed in the Jenkins Security Advisory published on 2023-11-29.