CVE-2023-28676
📋 TL;DR
This CSRF vulnerability in Jenkins Convert To Pipeline Plugin allows attackers to trick authenticated users into unknowingly creating pipelines from freestyle projects, potentially leading to remote code execution. It affects Jenkins instances with the vulnerable plugin installed, particularly those exposed to untrusted networks.
💻 Affected Systems
- Jenkins Convert To Pipeline Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with full system compromise, enabling data theft, malware deployment, or lateral movement.
Likely Case
Unauthorized pipeline creation leading to disruption, data exposure, or limited code execution depending on Jenkins permissions.
If Mitigated
Minimal impact if CSRF protections are enforced or the plugin is disabled, though risk persists if misconfigured.
🎯 Exploit Status
Exploitation requires an authenticated user to be tricked into visiting a malicious page; no public exploit code is known as of the advisory date.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to Jenkins Convert To Pipeline Plugin version 1.1 or later
Vendor Advisory: https://www.jenkins.io/security/advisory/2023-03-21/#SECURITY-2963
Restart Required: Yes
Instructions:
1. Access Jenkins web interface as an administrator. 2. Navigate to Manage Jenkins > Manage Plugins. 3. Go to the Available tab, search for 'Convert To Pipeline Plugin', and install version 1.1 or later. 4. Restart Jenkins after installation.
🔧 Temporary Workarounds
Disable the plugin
allTemporarily disable the vulnerable plugin to prevent exploitation until patching is possible.
In Jenkins web interface: Manage Jenkins > Manage Plugins > Installed tab, find 'Convert To Pipeline Plugin', uncheck the box to disable it, and restart Jenkins.
🧯 If You Can't Patch
- Enforce strict CSRF protection in Jenkins settings and use security plugins to monitor for suspicious pipeline creation.
- Restrict network access to Jenkins, limit user permissions to only necessary roles, and educate users on CSRF risks.
🔍 How to Verify
Check if Vulnerable:
Check the plugin version in Jenkins: Manage Jenkins > Manage Plugins > Installed tab, look for 'Convert To Pipeline Plugin' and verify if version is 1.0 or earlier.Check Version:
On Jenkins server, check the plugin directory: ls $JENKINS_HOME/plugins/convert-to-pipeline.jpi or use Jenkins script console: println(PluginManager.instance.getPlugin('convert-to-pipeline').version)Verify Fix Applied:
After updating, confirm the plugin version is 1.1 or later in the Installed tab and test that pipeline creation functions normally without CSRF issues.📡 Detection & Monitoring
Log Indicators:
- Unusual pipeline creation logs, especially from unexpected users or IPs, in Jenkins system logs or audit trails.
Network Indicators:
- HTTP POST requests to Jenkins endpoints related to pipeline conversion without corresponding user authentication patterns.
SIEM Query:
Example for Splunk: source="jenkins.log" "Convert To Pipeline" AND ("created" OR "failed") | stats count by user, src_ip