CVE-2023-41933 – This vulnerability in Jenkins Job Configuration... (How to Fix)

Q: What is the severity of CVE-2023-41933?

CVE-2023-41933 has a CVSS score of 8.8 (HIGH). This vulnerability in Jenkins Job Configuration History Plugin allows attackers to perform XML External Entity (XXE) attacks by exploiting improper XML parser configuration. Attackers can read arbitrary files from the Jenkins controller file system, potentially exposing sensitive data. All Jenkins instances using affected plugin versions are vulnerable.

📋 TL;DR

This vulnerability in Jenkins Job Configuration History Plugin allows attackers to perform XML External Entity (XXE) attacks by exploiting improper XML parser configuration. Attackers can read arbitrary files from the Jenkins controller file system, potentially exposing sensitive data. All Jenkins instances using affected plugin versions are vulnerable.

💻 Affected Systems

Products:

Jenkins Job Configuration History Plugin

Versions: 1227.v7a_79fc4dc01f and earlier

Operating Systems: All operating systems running Jenkins

Default Config Vulnerable: ⚠️ Yes

Notes: All Jenkins instances with the vulnerable plugin version installed are affected regardless of configuration.

📦 What is this software?

Job Configuration History by Jenkins

View all CVEs affecting Job Configuration History →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Jenkins controller file system, allowing reading of sensitive files like credentials, configuration files, and source code, potentially leading to further system compromise.

🟠

Likely Case

Unauthorized reading of sensitive files from Jenkins controller, potentially exposing credentials, configuration data, or other sensitive information stored on the server.

🟢

If Mitigated

Limited impact with proper network segmentation and file system permissions, but still potential for information disclosure from accessible files.

🌐 Internet-Facing: HIGH - Jenkins instances exposed to the internet are directly vulnerable to exploitation attempts.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this vulnerability to escalate privileges or access sensitive data.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to Jenkins, but XXE attacks are well-documented and relatively easy to execute once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1227.v7a_79fc4dc01f_1 or later

Vendor Advisory: https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3235

Restart Required: Yes

Instructions:

1. Update Jenkins Job Configuration History Plugin to version 1227.v7a_79fc4dc01f_1 or later via Jenkins Plugin Manager. 2. Restart Jenkins to apply the update. 3. Verify the plugin version in Jenkins plugin management interface.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily disable the Job Configuration History Plugin until patching is possible

Navigate to Jenkins > Manage Jenkins > Manage Plugins > Installed tab > Find 'Job Configuration History' > Click 'Disable'

Restrict file system permissions

linux

Limit file system access to Jenkins service account to reduce potential impact

chmod 700 /var/lib/jenkins
chown -R jenkins:jenkins /var/lib/jenkins

🧯 If You Can't Patch

Disable the Job Configuration History Plugin immediately
Implement strict network segmentation to isolate Jenkins from sensitive systems

🔍 How to Verify

Check if Vulnerable:

Check plugin version in Jenkins: Manage Jenkins > Manage Plugins > Installed tab > Find 'Job Configuration History' and check version number

Check Version:

grep 'Job Configuration History' /var/lib/jenkins/plugins/jobConfigHistory/META-INF/MANIFEST.MF | grep 'Plugin-Version'

Verify Fix Applied:

Verify plugin version is 1227.v7a_79fc4dc01f_1 or later in Jenkins plugin management interface

📡 Detection & Monitoring

Log Indicators:

Unusual XML parsing errors in Jenkins logs
Multiple failed authentication attempts followed by XML-related requests
File read operations from unexpected locations

Network Indicators:

XML payloads containing external entity declarations in HTTP requests to Jenkins
Outbound connections from Jenkins to external entities during XML processing

SIEM Query:

source="jenkins.log" AND ("XXE" OR "external entity" OR "DOCTYPE" OR "ENTITY")

📊 Metadata

CVE ID: CVE-2023-41933

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-611

Published: September 6, 2023

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2023/09/06/9 Mailing List,Third Party Advisory
https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3235 Vendor Advisory
http://www.openwall.com/lists/oss-security/2023/09/06/9 Mailing List,Third Party Advisory
https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3235 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-41933, you might also want to check these: