Login Sign Up

CVE-2023-25767

8.8 HIGH
CSRF

📋 TL;DR

A cross-site request forgery (CSRF) vulnerability in Jenkins Azure Credentials Plugin allows attackers to trick authenticated users into connecting Jenkins to attacker-controlled web servers. This affects Jenkins instances with the Azure Credentials Plugin installed, potentially exposing Azure credentials and configuration data.

💻 Affected Systems

Products:
  • Jenkins Azure Credentials Plugin
Versions: 253.v887e0f9e898b and earlier
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires Jenkins with Azure Credentials Plugin installed and enabled.

📦 What is this software?

Azure Credentials by Jenkins

View all CVEs affecting Azure Credentials →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal Azure credentials, access sensitive cloud resources, modify infrastructure, or pivot to other systems in the Azure environment.

🟠

Likely Case

Attackers could redirect Jenkins to malicious servers, intercept credentials, or manipulate Azure resource configurations.

🟢

If Mitigated

With proper CSRF protections and network segmentation, impact would be limited to credential exposure without lateral movement.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires tricking authenticated users into visiting malicious pages.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 254.vb_71a_2c5478d3 or later

Vendor Advisory: https://www.jenkins.io/security/advisory/2023-02-15/#SECURITY-1756

Restart Required: Yes

Instructions:

1. Update Jenkins Azure Credentials Plugin to version 254.vb_71a_2c5478d3 or later via Jenkins Plugin Manager. 2. Restart Jenkins instance.

🔧 Temporary Workarounds

Enable CSRF Protection

all

Ensure Jenkins CSRF protection is enabled globally

Check Jenkins configuration for 'Prevent Cross Site Request Forgery exploits' setting

Network Segmentation

all

Restrict Jenkins server outbound connections to trusted Azure endpoints only

🧯 If You Can't Patch

  • Disable or remove Azure Credentials Plugin if not required
  • Implement strict network controls to limit Jenkins outbound connections

🔍 How to Verify

Check if Vulnerable:

Check Jenkins plugin manager for Azure Credentials Plugin version. If version is 253.v887e0f9e898b or earlier, system is vulnerable.

Check Version:

Check Jenkins web interface: Manage Jenkins > Manage Plugins > Installed tab, find 'Azure Credentials Plugin'

Verify Fix Applied:

Verify Azure Credentials Plugin version is 254.vb_71a_2c5478d3 or later in Jenkins plugin manager.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected Azure endpoint connections in Jenkins logs
  • Failed authentication attempts to non-standard Azure endpoints

Network Indicators:

  • Jenkins server connecting to unknown or suspicious external IPs/domains
  • Unusual outbound traffic patterns from Jenkins to non-Azure endpoints

SIEM Query:

source="jenkins.log" AND ("azure" OR "credentials") AND ("connection failed" OR "unexpected endpoint")

📊 Metadata

CVE ID: CVE-2023-25767
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-352
Published: February 15, 2023
Last Updated: March 19, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-25767, you might also want to check these:

CVE-2025-23922 10.0

A Cross-Site Request Forgery (CSRF) vulnerability in the Harsh iSpring Embedder WordPress plugin all...

Same vulnerability type (CWE-352)
CVE-2020-23426 9.8

CVE-2020-23426 is a privilege escalation vulnerability in zzcms 201910 that allows attackers to gain...

Same vulnerability type (CWE-352)
CVE-2024-33449 9.8

This SSRF vulnerability in PDFMyURL allows attackers to make the service send requests to internal s...

Same vulnerability type (CWE-352)