Skip to main content
Delphix

TB111 Delphix Plugin for Jenkins Vulnerable to Credential Enumeration and Capture

  1. Last updated
  2. Save as PDF
 

 

Alert Type

Security

Impact

Severity: Medium

This bulletin is only applicable if you use the Delphix Plugin for Jenkins. This is a plugin to Jenkins CI that allows Jenkins CI to orchestrate interactions with Delphix Data Control Tower (DCT).

Two vulnerabilities were discovered in the Delphix Plugin for Jenkins that could lead to exposure of credentials in the Jenkins CI system, including Delphix DCT credentials and certain other credentials stored in the Jenkins CI system.

These vulnerabilities were fixed with the release of v3.0.3 on August 9, 2023 and advisories were published by the Jenkins project on August 16, 2023. According to the Jenkins project installation tracking metrics, there have been no installations of the versions impacted by these vulnerabilities as of the date of publication of this bulletin, however Jenkins plugins can be downloaded directly from GitHub. 

  1. CVE-2023-40344: Missing permission check in Delphix Plugin allows enumerating credentials IDs (Jenkins Advisory)
    CVSS Base Score: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

  2. CVE-2023-40345: Exposure of system-scoped credentials in Delphix Plugin (Jenkins Advisory)
    CVSS Base Score: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

Additional Background of the Issue

The Delphix Plugin for Jenkins uses the Credential Binding Plugin, a Jenkins-recommended plugin for credential management. The credential binding plugin makes it simple to package all of the job's secret files and passwords and access them with a single environment variable during the build.

The Credential Binding Plugin allows users with Overall/Read permissions to retrieve credentials via HTTP Endpoint in the following ways:

  1. Get a list of credential IDs from Jenkins.

  2. Retrieve the credential value using credential IDs. 

As a result, users with overall read access to the Jenkins Server could use this vulnerability to view credential IDs and values (e.g.: DCT API Key, and Jenkins SYSTEM scope credentials) from the vulnerable endpoint of the Delphix Plugin.

Affected Products and Versions

Clarifications

  • Plugin versions prior to the 3.x family have been decommissioned and replaced by the 3.x family, which is rearchitected and is a complete rewrite.

Mitigation 

New Installations of Delphix Plugin

  • Install Delphix Plugin 3.0.3 or greater.

Existing Installations of Delphix Plugin

  • Upgrade to Delphix Plugin 3.0.3 or greater.

  • Rotate DCT API Keys.

  • Rotate any secrets that were Jenkins SYSTEM scope on a Jenkins controller that had a vulnerable version of the Delphix Plugin for Jenkins installed.

Resolution 

This issue is resolved in version 3.0.3 of the Delphix Plugin for Jenkins. Context and role-based checks have been added to the Delphix Plugin for Jenkins code, and the credentials can now only be accessed through the Jenkins UI and not through the HTTP Endpoints.


 

 

 

Privacy Policy Terms of Use Legal About
© 2024 Delphix Corp