Jenkins Security Vulnerabilities: What You Need to Know

CVE-2023-43495

Jenkins, an open-source automation server, has become the de facto standard for organizations seeking to implement continuous integration (CI) and continuous delivery (CD) workflows. With its compatibility across Windows, macOS, and Linux and its foundation in Java, Jenkins has solidified its place in the DevOps toolkit. However, like all software, Jenkins isn’t immune to security vulnerabilities.

In this article, we will discuss four recently discovered security vulnerabilities in Jenkins:

  • CVE-2023-43494: Builds can be filtered by values of sensitive build variables
  • CVE-2023-43495: Stored XSS vulnerability
  • CVE-2023-43496: Temporary plugin file created with insecure permissions
  • CVE-2023-43497: Temporary uploaded file created with insecure permissions

1. CVE-2023-43494 (CVSS score of 4.3): Sensitive Build Variables Exposure

Affected Versions: Jenkins 2.50 to 2.423, LTS 2.60.1 to 2.414.1
Jenkins had a misstep where builds could be filtered using sensitive variables, allowing potential attackers to glean sensitive data by iteratively character testing.

This vulnerability allows attackers with Item/Read permission to obtain values of sensitive variables used in builds by iteratively testing different characters until the correct sequence is discovered.

Jenkins 2.424 and LTS 2.414.2 have rectified this by excluding these sensitive variables from searches.

2. CVE-2023-43495 (CVSS Score: 8.0): Stored XSS Vulnerability

Affected Versions: Jenkins 2.423 and earlier, LTS 2.414.1 and earlier
A loophole in the ExpandableDetailsNote’s caption constructor parameter left room for a stored XSS attack, endangering users.

This vulnerability allows attackers to inject malicious JavaScript code into Jenkins build logs, which can then be executed by users viewing those logs.

Starting from Jenkins 2.424 and LTS 2.414.2, the caption constructor parameter values are now safely escaped.

3. CVE-2023-43496 (CVSS score of 7.0): Temporary Plugin File Security Lapse

Affected Versions: Jenkins 2.423 and earlier, LTS 2.414.1 and earlier

When deploying a plugin from a URL, Jenkins would, in certain OS environments, create a temporarily exposed file that could be accessed maliciously.

This vulnerability allows attackers with access to the Jenkins controller file system to read and write the file before it is installed in Jenkins, potentially resulting in arbitrary code execution.

Jenkins 2.424 and LTS 2.414.2 have enhanced security by placing the temporary file in a more secure subdirectory.

4. CVE-2023-43497 & CVE-2023-43498: Temporary Upload File Exposure

Files uploaded and processed via the Stapler web framework and the Jenkins API MultipartFormDataParser were susceptible to exposure. This loophole was mainly prominent on Linux OS. To address this, Jenkins 2.424 and LTS 2.414.2 now store these temporary files in a secure subdirectory.

This vulnerability allows attackers with access to the system temporary directory to read and write uploaded files before they are used by Jenkins.

For those unable to update immediately, consider modifying your default temporary-file directory using the Java system property `java.io.tmpdir` as a precautionary measure.

If you are using Jenkins, it is important to take steps to mitigate these security vulnerabilities. Here are some recommendations:

  • Update to the latest version of Jenkins. The latest versions of Jenkins patch all of the vulnerabilities discussed in this article.
  • Review your Jenkins security configuration. Make sure that you are using strong passwords and that you have enabled appropriate security features, such as two-factor authentication.
  • Restrict access to Jenkins. Only grant access to Jenkins to users who need it.
  • Monitor Jenkins for suspicious activity. Use a security monitoring solution to monitor Jenkins for suspicious activity, such as unauthorized login attempts or changes to configuration files.