CVE-2023-37961
📋 TL;DR
A CSRF vulnerability in Jenkins Assembla Auth Plugin 1.14 and earlier allows attackers to trick authenticated users into unknowingly logging into the attacker's Assembla account. This affects Jenkins instances using the Assembla Auth Plugin for authentication. Attackers could gain unauthorized access to Jenkins resources through the victim's session.
💻 Affected Systems
- Jenkins Assembla Auth Plugin
📦 What is this software?
Assembla by Jenkins
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative access to Jenkins by tricking admins into logging into attacker-controlled Assembla accounts, leading to complete system compromise, data theft, and further attacks.
Likely Case
Attackers trick regular users into logging into attacker accounts, gaining access to Jenkins projects and sensitive build data they shouldn't have access to.
If Mitigated
With proper CSRF protections and user awareness, attackers cannot successfully exploit the vulnerability, maintaining normal authentication security.
🎯 Exploit Status
Exploitation requires tricking an authenticated user into clicking a malicious link or visiting a compromised website while logged into Jenkins.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.15
Vendor Advisory: https://www.jenkins.io/security/advisory/2023-07-12/#SECURITY-2988
Restart Required: Yes
Instructions:
1. Update Jenkins Assembla Auth Plugin to version 1.15 or later via Jenkins Plugin Manager. 2. Restart Jenkins after plugin update. 3. Verify plugin version in Manage Jenkins > Manage Plugins.
🔧 Temporary Workarounds
Disable Assembla Auth Plugin
allTemporarily disable the vulnerable plugin until patching is possible
Navigate to Manage Jenkins > Manage Plugins > Installed tab, find 'Assembla Authentication Plugin', click 'Disable'
Implement CSRF Protection Headers
allAdd CSRF protection headers at reverse proxy/load balancer level
Add 'X-Frame-Options: DENY' and 'Content-Security-Policy: frame-ancestors 'none'' headers
🧯 If You Can't Patch
- Implement strict SameSite cookie policies for Jenkins sessions
- Educate users about CSRF risks and safe browsing practices when using Jenkins
🔍 How to Verify
Check if Vulnerable:
Check Jenkins plugin manager for Assembla Auth Plugin version. If version is 1.14 or earlier and plugin is enabled, system is vulnerable.Check Version:
Check Jenkins web UI: Manage Jenkins > Manage Plugins > Installed tab, or examine $JENKINS_HOME/plugins/assembla-auth.jpi/META-INF/MANIFEST.MFVerify Fix Applied:
Verify Assembla Auth Plugin version is 1.15 or later in Manage Jenkins > Manage Plugins > Installed tab.📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts from same user with different Assembla accounts
- Unusual authentication patterns in Jenkins access logs
Network Indicators:
- HTTP POST requests to /securityRealm/commenceLogin without proper referrer headers
- Cross-origin requests to Jenkins authentication endpoints
SIEM Query:
source="jenkins.log" AND ("assembla" OR "securityRealm/commenceLogin") AND status=302