GHSL-2023-054: Unauthenticated arbitrary file read in Jenkins plugin 3.0.12 - CVE-2023-35147

Coordinated Disclosure Timeline

• 2023-03-28: Issue reported to the Jenkins Security Team
• 2023-06-14: Advisory published

Summary

AWS CodeCommit Trigger Jenkins Plugin 3.0.12 and earlier does not restrict a file name path parameter in an HTTP endpoint, allowing authenticated attackers to read arbitrary files on the Jenkins controller file system.

Product

AWS CodeCommit Trigger Plugin

Tested Version

3.0.12

Details

Path traversal in SQSActivityAction.java (GHSL-2023-054)

The AWS CodeCommit Trigger Jenkins Plugin implements an action called SQSActivityAction, which exposes a method doDownload that is accessible via HTTP requests:

src/main/java/com/ribose/jenkins/plugin/awscodecommittrigger/SQSActivityAction.java:79

public void doDownload() throws IOException, ServletException {
    StaplerRequest request = Stapler.getCurrentRequest();
    StaplerResponse response = Stapler.getCurrentResponse();

    String name = request.getRestOfPath();
    File file = new File(this.activityDir.getPath() + "/" + name);
    if (file.exists()) {
        FileInputStream is = FileUtils.openInputStream(file);
        response.serveFile(request, is, 0L, 60_000L, file.length(), name);
    } else {
        response.setStatus(HttpStatus.SC_NOT_FOUND);
        response.getOutputStream().println("sorry, we not found it " + name.replace("/", ""));
    }
}

name is obtained from the request path, and directly appended to a filesystem path that immediately gets served back to the user. By using path traversal sequences (../), an attacker can exploit this endpoint to access arbitrary files in the Jenkins controller filesystem.

This issue was found by the Uncontrolled data used in path expression CodeQL query.

Impact

This issue may lead to arbitrary file read.

Resources

This vulnerability could be exploited by making an authenticated GET request to a Jenkins server that has the AWS CodeCommit Trigger plugin installed, after configuring a job test that uses the “Build when a CodeCommit repository is updated and notifies a SQS queue” build trigger.

To obtain Jenkin’s credentials file:

http://localhost:8080/job/test/sqs-activity/download/..%2f..%2f..%2fcredentials.xml

To obtain /etc/passwd:

http://localhost:8080/job/test/sqs-activity/download//..%2f..%2f..%2f..%2f..%2fetc/passwd

CVE

• CVE-2023-35147

Resources

• SECURITY-3099

Credit

This issue was discovered and reported by GHSL team member @atorralba (Tony Torralba).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2023-054 in any communication regarding this issue.