Security context
MediumGHSA-vxc6-wvh8-fpxw CVE-2014-2062CWE-287Published May 17, 2022

Jenkins does not invalidate the API token when a user is deleted

Research this vulnerability

Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.

Affected versions

1.533 → fixed in 1.5510 → fixed in 1.532.2

Details

Jenkins before 1.551 and LTS before 1.532.2 does not invalidate the API token when a user is deleted, which allows remote authenticated users to retain access via the token.

The fix

[FIXED SECURITY-89] When checking an API token, verify that

Jesse Glick· Feb 7, 2014, 05:57 PM+1505548b5220c
core/src/main/java/jenkins/security/ApiTokenFilter.java+15 0
@@ -2,9 +2,13 @@
import hudson.model.User;
import hudson.security.ACL;
+import hudson.security.UserMayOrMayNotExistException;
import hudson.util.Scrambler;
+import jenkins.model.Jenkins;
import org.acegisecurity.context.SecurityContext;
import org.acegisecurity.context.SecurityContextHolder;
+import org.acegisecurity.userdetails.UsernameNotFoundException;
+import org.springframework.dao.DataAccessException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
@@ -41,6 +45,17 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
int idx = uidpassword.indexOf(':');
if (idx >= 0) {
String username = uidpassword.substring(0, idx);
+ try {
+ Jenkins.getInstance().getSecurityRealm().loadUserByUsername(username);
+ } catch (UserMayOrMayNotExistException x) {
+ // OK, give them the benefit of the doubt.
+ } catch (UsernameNotFoundException x) {
+ // Not/no longer a user; deny the API token. (But do not leak the information that this happened.)
+ chain.doFilter(request, response);
+ return;
+ } catch (DataAccessException x) {
+ throw new ServletException(x);
+ }
String password = uidpassword.substring(idx+1);
// attempt to authenticate as API token

References