CVE-2017-1000106 in Jenkin
Summary
by MITRE
Blue Ocean allows the creation of GitHub organization folders that are set up to scan a GitHub organization for repositories and branches containing a Jenkinsfile, and create corresponding pipelines in Jenkins. Its SCM content REST API supports the pipeline creation and editing feature in Blue Ocean. The SCM content REST API did not check the current user's authentication or credentials. If the GitHub organization folder was created via Blue Ocean, it retained a reference to its creator's GitHub credentials. This allowed users with read access to the GitHub organization folder to create arbitrary commits in the repositories inside the GitHub organization corresponding to the GitHub organization folder with the GitHub credentials of the creator of the organization folder. Additionally, users with read access to the GitHub organization folder could read arbitrary file contents from the repositories inside the GitHub organization corresponding to the GitHub organization folder if the branch contained a Jenkinsfile (which could be created using the other part of this vulnerability), and they could provide the organization folder name, repository name, branch name, and file name.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 11/22/2019
This vulnerability exists within the Blue Ocean plugin for Jenkins, which facilitates the creation of GitHub organization folders that automatically scan organizations for repositories containing Jenkinsfile configurations to generate corresponding pipelines. The core technical flaw resides in the SCM content REST API that lacks proper authentication and authorization checks when processing pipeline creation and editing operations. The vulnerability stems from the fact that when GitHub organization folders are created through Blue Ocean, they maintain a reference to the creator's GitHub credentials, creating a persistent security risk.
The operational impact of this vulnerability is significant as it enables privilege escalation through a simple read access exploitation. Users who possess only read permissions to a GitHub organization folder can leverage this weakness to perform arbitrary commits to repositories within that organization using the original creator's GitHub credentials. This represents a critical authorization bypass where read-only users can execute write operations against the target repositories, effectively allowing them to modify code, introduce malicious changes, or manipulate the CI/CD pipeline configurations. The vulnerability extends beyond simple commit operations to include arbitrary file reading capabilities when the target branch contains a Jenkinsfile, enabling attackers to extract sensitive information from the repository.
The technical implementation of this vulnerability aligns with CWE-285 (Improper Authorization) and CWE-862 (Missing Authorization) categories, demonstrating how insufficient access control checks can lead to severe privilege escalation scenarios. From an ATT&CK perspective, this vulnerability maps to T1078 (Valid Accounts) and T1566 (Phishing) as it exploits legitimate user credentials to perform unauthorized operations, and T1059 (Command and Scripting Interpreter) through potential pipeline manipulation. The attack vector specifically targets the Blue Ocean plugin's REST API endpoints that handle SCM content operations, where the API fails to validate whether the requesting user has appropriate permissions to perform the requested operations.
Organizations should immediately implement mitigations including restricting access to the Blue Ocean plugin's REST API endpoints, ensuring that only authorized administrators can create and manage GitHub organization folders, and implementing proper credential management practices. The recommended approach involves enforcing strict authentication checks on all SCM content REST API operations and removing the direct credential retention mechanism that allows read-only users to inherit write privileges. Additionally, organizations should consider implementing network-level restrictions to limit access to the vulnerable API endpoints and regularly audit GitHub organization folder configurations to ensure proper access controls are in place. The vulnerability highlights the importance of principle of least privilege implementation and demonstrates how seemingly benign features can become security risks when proper authorization checks are absent.