CVE-2018-6356 in Extended Choice Parameter Plugin
Summary
by MITRE
An issue was discovered in the Extended Choice Parameter (aka extended-choice-parameter) plugin 0.64 for Jenkins 2.89.3. The PATH_INFO filename is vulnerable to path traversal attacks via ..\ sequences to the /plugin/extended-choice-parameter/js/ URI.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 01/07/2020
The vulnerability identified in CVE-2018-6356 affects the Extended Choice Parameter plugin version 0.64 within Jenkins 2.89.3, presenting a critical path traversal flaw that enables unauthorized access to sensitive system resources. This vulnerability specifically manifests in the handling of PATH_INFO filename parameters within the plugin's javascript endpoint at /plugin/extended-choice-parameter/js/, where improper input validation allows attackers to manipulate file paths through directory traversal sequences using the ..\ notation.
The technical flaw stems from insufficient sanitization of user-supplied input within the plugin's URI handling mechanism. When the system processes requests to the /plugin/extended-choice-parameter/js/ endpoint, it fails to properly validate or sanitize the PATH_INFO component that contains the filename parameter. This oversight creates an opportunity for malicious actors to construct crafted requests that traverse directories outside the intended scope, potentially accessing arbitrary files on the server filesystem. The vulnerability is classified as a path traversal attack under CWE-22, which specifically addresses improper limitation of a pathname to a restricted directory.
The operational impact of this vulnerability extends beyond simple information disclosure, as it could enable attackers to access sensitive configuration files, credential storage locations, or other privileged resources within the Jenkins environment. An attacker could potentially exploit this weakness to retrieve plugin-specific configurations, user credentials stored in memory, or even system-level files that contain administrative access tokens or keys. The attack vector is particularly concerning because it operates within the context of the Jenkins web application, potentially allowing privilege escalation if the application runs with elevated permissions.
Security professionals should note that this vulnerability aligns with ATT&CK technique T1059.007, which involves the use of script-based commands to execute malicious code. The path traversal capability could serve as a precursor to more sophisticated attacks, including remote code execution if combined with other vulnerabilities or if the attacker can influence the content of accessible files. Organizations running affected Jenkins versions should immediately implement mitigations including updating to patched plugin versions, implementing web application firewalls, or applying restrictive access controls to the vulnerable endpoint. The vulnerability demonstrates the critical importance of input validation in web applications and serves as a reminder that even seemingly minor components like plugin javascript endpoints can present significant security risks when proper sanitization controls are absent.
The remediation approach should focus on immediate plugin updates to versions that address the path traversal vulnerability, combined with network-level protections to restrict access to the vulnerable endpoint. System administrators should also consider implementing principle of least privilege access controls, ensuring that Jenkins instances operate with minimal required permissions and that sensitive resources are protected through proper file system permissions and access controls. Regular security assessments of Jenkins plugins and configurations remain essential for maintaining a secure continuous integration environment.