CVE-2023-32997
📋 TL;DR
The Jenkins CAS Plugin 1.6.2 and earlier fails to invalidate previous user sessions upon login, allowing session fixation attacks. This vulnerability enables attackers to hijack user sessions by forcing them to use a predetermined session ID. Organizations using Jenkins with the CAS Plugin for authentication are affected.
💻 Affected Systems
- Jenkins CAS Plugin
📦 What is this software?
Cas by Jenkins
⚠️ Risk & Real-World Impact
Worst Case
Attackers could hijack administrator sessions, gaining full control over Jenkins instances to deploy malicious plugins, steal credentials, or disrupt CI/CD pipelines.
Likely Case
Attackers could hijack user sessions to access sensitive build artifacts, source code, or pipeline configurations, potentially leading to data theft or supply chain compromise.
If Mitigated
With proper network segmentation and monitoring, impact would be limited to unauthorized access within the Jenkins environment rather than broader network compromise.
🎯 Exploit Status
Exploitation requires the attacker to trick a user into using a predetermined session ID, typically through phishing or malicious links.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.6.3
Vendor Advisory: https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3000
Restart Required: Yes
Instructions:
1. Access Jenkins Update Center. 2. Navigate to Manage Plugins > Available. 3. Search for 'CAS Plugin'. 4. Install version 1.6.3 or later. 5. Restart Jenkins after installation completes.
🔧 Temporary Workarounds
Disable CAS Plugin
allTemporarily disable the vulnerable plugin until patching is possible
java -jar jenkins-cli.jar -s http://jenkins.example.com/ disable-plugin cas-plugin
🧯 If You Can't Patch
- Implement network segmentation to isolate Jenkins instances from critical systems
- Enable detailed session logging and monitor for unusual authentication patterns
🔍 How to Verify
Check if Vulnerable:
Check Jenkins plugin manager for CAS Plugin version. If version is 1.6.2 or earlier, the system is vulnerable.Check Version:
curl -s http://jenkins.example.com/pluginManager/api/json?depth=1 | grep -o '"cas-plugin":{[^}]*}' | grep -o '"version":"[^"]*"'Verify Fix Applied:
Verify CAS Plugin version is 1.6.3 or later in Jenkins plugin manager and confirm session invalidation occurs on login.📡 Detection & Monitoring
Log Indicators:
- Multiple successful logins from same user in quick succession
- Session IDs persisting across login events
Network Indicators:
- Unusual authentication patterns to CAS endpoints
- Multiple session establishment requests
SIEM Query:
source="jenkins.log" AND "CAS Plugin" AND ("session" OR "login") AND NOT "session invalidated"