CVE-2024-34148

The Jenkins Subversion Partial Release Manager Plugin versions 1.0.1 and earlier contain a vulnerability that disables a critical security fix for CVE-2016-3721. This fix originally prevented parameter injection attacks by blocking undefined parameters. When a build is triggered from a release tag, the plugin programmatically sets the Java system property 'hudson.model.ParametersAction.keepUndefinedParameters', which re-enables the acceptance of undefined parameters, thereby undermining the earlier security improvement [1][3].

Exploitation and

Attack Surface An attacker can exploit this vulnerability by crafting a release tag that triggers a build. No special privileges are required beyond the ability to create or supply a release tag to a Jenkins instance using the affected plugin. The plugin automatically disables the parameter safety mechanism without any explicit user authorization, meaning any build from a release tag becomes susceptible to parameter injection attacks [2][3].

Impact

By leveraging this weakness, an attacker can inject arbitrary parameters into a build, potentially leading to unauthorized operations, data exposure, or further compromise of the Jenkins environment. This effectively bypasses the security controls established by the CVE-2016-3721 fix, which was designed to prevent such parameter-based attacks [1][3].

Mitigation

Status As of the advisory publication date (2024-05-02), no fixed version of the Subversion Partial Release Manager Plugin has been released, and the vulnerability remains unpatched [2]. Jenkins users are advised to monitor the plugin's updates for a fix. Until then, administrators may consider avoiding the use of release tags that trigger builds or uninstalling the plugin if it is not essential [3].