CVE-2023-28677
📋 TL;DR
This vulnerability in Jenkins Convert To Pipeline Plugin allows attackers with permission to configure Freestyle projects to inject malicious Pipeline script code during conversion. The injected code executes without sandbox restrictions, potentially leading to remote code execution. Affected users are those running Jenkins with the vulnerable plugin installed.
💻 Affected Systems
- Jenkins Convert To Pipeline Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise via remote code execution, allowing attackers to execute arbitrary commands on the Jenkins server with the privileges of the Jenkins process.
Likely Case
Attackers with project configuration access can execute arbitrary Pipeline code, potentially stealing credentials, modifying builds, or deploying malicious artifacts.
If Mitigated
With proper access controls limiting who can configure projects, impact is reduced to authorized users only, though they could still cause damage.
🎯 Exploit Status
Exploitation requires authenticated access with project configuration permissions. The injection mechanism is straightforward string concatenation bypass.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.1
Vendor Advisory: https://www.jenkins.io/security/advisory/2023-03-21/#SECURITY-2966
Restart Required: Yes
Instructions:
1. Update Jenkins Convert To Pipeline Plugin to version 1.1 or later via Jenkins Plugin Manager. 2. Restart Jenkins to apply the update. 3. Verify the plugin version in Manage Jenkins > Manage Plugins > Installed tab.
🔧 Temporary Workarounds
Disable or remove vulnerable plugin
allTemporarily disable or uninstall the Convert To Pipeline Plugin until patching is possible.
Manage Jenkins > Manage Plugins > Installed tab > Find 'Convert To Pipeline' > Click 'Disable' or 'Uninstall'
Restrict project configuration permissions
allLimit who can configure Freestyle projects to trusted administrators only.
Manage Jenkins > Manage and Assign Roles > Role-based Authorization Strategy > Configure permissions to remove 'Configure' from non-admin users
🧯 If You Can't Patch
- Immediately restrict project configuration permissions to minimal trusted administrators only.
- Monitor Jenkins logs for suspicious conversion activities and audit all Freestyle project configurations.
🔍 How to Verify
Check if Vulnerable:
Check installed plugin version in Jenkins: Manage Jenkins > Manage Plugins > Installed tab > Find 'Convert To Pipeline' plugin. If version is 1.0 or earlier, you are vulnerable.Check Version:
In Jenkins web UI: Manage Jenkins > Manage Plugins > Installed tabVerify Fix Applied:
After updating, verify the plugin shows version 1.1 or later in the Installed plugins list. Test converting a Freestyle project to Pipeline to ensure functionality works without errors.📡 Detection & Monitoring
Log Indicators:
- Unusual Pipeline conversion activities, especially from non-admin users
- Errors or warnings related to Convert To Pipeline plugin
- Suspicious Pipeline script execution
Network Indicators:
- Unusual outbound connections from Jenkins server following project conversions
SIEM Query:
source="jenkins.log" AND ("Convert To Pipeline" OR "conversion" OR "injected") AND (error OR warning OR suspicious)