Listen to this Post
The Jenkins OpenShift Pipeline Plugin, in versions 1.0.57 and earlier, contains a flaw where it insecurely handles sensitive authentication tokens. When a job is configured to interact with an OpenShift cluster, the plugin requires an authorization token. Instead of leveraging Jenkins’s built-in credential store or encrypting the data, the plugin directly writes this token in plaintext into the job’s `config.xml` file on the controller’s filesystem. Any user or process with Item/Extended Read permissions for that job can view the token through the Jenkins web interface. Furthermore, any entity with filesystem access to the Jenkins controller can read the `config.xml` file for any job, thereby exfiltrating the plaintext token. This exposed token can then be used to gain unauthorized access to the OpenShift cluster with the permissions of the leaked credential.
Platform: Jenkins Plugin
Version: <=1.0.57
Vulnerability: Information Disclosure
Severity: Moderate
date: 2024-10-29
Prediction: 2024-11-19
What Undercode Say:
`grep -r “authorizationToken” $JENKINS_HOME/jobs/`
`cat /var/lib/jenkins/jobs/myjob/config.xml | grep -A 5 -B 5 “tokenValue”`
How Exploit:
Attackers with Item/Extended Read permission browse to `/job/myjob/config.xml` via the web UI. Alternatively, an attacker with filesystem access navigates to the `$JENKINS_HOME/jobs/myjob/` directory and directly views the `config.xml` file to find the plaintext token.
Protection from this CVE:
Monitor for plugin update. Restrict Item/Extended Read permissions. Secure Jenkins controller filesystem.
Impact:
Unauthorized OpenShift API access. Potential cluster compromise. Credential leakage.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
