CVE-2023-50774
📋 TL;DR
This CSRF vulnerability in Jenkins HTMLResource Plugin allows attackers to trick authenticated users into executing malicious requests that delete arbitrary files on the Jenkins controller file system. It affects Jenkins installations using HTMLResource Plugin version 1.02 or earlier. Attackers can leverage this to disrupt Jenkins operations or potentially escalate to more severe attacks.
💻 Affected Systems
- Jenkins HTMLResource Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete Jenkins controller compromise through deletion of critical system files, configuration files, or Jenkins home directory contents, leading to service disruption, data loss, or privilege escalation.
Likely Case
Targeted deletion of Jenkins configuration files, build artifacts, or plugin files causing service disruption, failed builds, or loss of historical data.
If Mitigated
Limited impact with proper CSRF protections and file permission restrictions, potentially causing minor service interruptions.
🎯 Exploit Status
Exploitation requires tricking an authenticated user into visiting a malicious webpage. No authentication bypass is needed beyond the user's existing Jenkins session.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: HTMLResource Plugin 1.03 or later
Vendor Advisory: https://www.jenkins.io/security/advisory/2023-12-13/#SECURITY-3183
Restart Required: Yes
Instructions:
1. Navigate to Jenkins Manage Jenkins > Manage Plugins > Installed tab. 2. Find HTMLResource Plugin and check for updates. 3. If update available, install HTMLResource Plugin 1.03 or later. 4. Restart Jenkins after installation completes.
🔧 Temporary Workarounds
Disable HTMLResource Plugin
allTemporarily disable the vulnerable plugin if immediate patching isn't possible
Navigate to Jenkins Manage Jenkins > Manage Plugins > Installed tab, find HTMLResource Plugin, and click Disable
Enable CSRF Protection
allEnsure Jenkins CSRF protection is enabled globally
Navigate to Jenkins Manage Jenkins > Configure Global Security, ensure 'Prevent Cross Site Request Forgery exploits' is checked
🧯 If You Can't Patch
- Restrict network access to Jenkins to trusted users only
- Implement strict file permissions on Jenkins controller file system
🔍 How to Verify
Check if Vulnerable:
Check installed plugin version in Jenkins Manage Jenkins > Manage Plugins > Installed tab. If HTMLResource Plugin version is 1.02 or earlier, system is vulnerable.Check Version:
curl -s http://jenkins-host/pluginManager/installed | grep -A2 'HTMLResource Plugin'Verify Fix Applied:
Verify HTMLResource Plugin version is 1.03 or later in Jenkins Manage Jenkins > Manage Plugins > Installed tab.📡 Detection & Monitoring
Log Indicators:
- Unusual file deletion events in Jenkins logs
- HTTP POST requests to /plugin/htmlresource/ endpoints from unexpected sources
Network Indicators:
- HTTP requests to Jenkins with missing or malformed CSRF tokens
- Multiple file deletion requests in short timeframes
SIEM Query:
source="jenkins.log" AND ("deleting" OR "removing") AND "htmlresource"