Jenkins does not invalidate the API token when a user is deleted
Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.
Affected versions
1.533 → fixed in 1.5510 → fixed in 1.532.2
Details
Jenkins before 1.551 and LTS before 1.532.2 does not invalidate the API token when a user is deleted, which allows remote authenticated users to retain access via the token.
The fix
[FIXED SECURITY-89] When checking an API token, verify that
core/src/main/java/jenkins/security/ApiTokenFilter.java+15 −0
@@ -2,9 +2,13 @@import hudson.model.User;import hudson.security.ACL;+import hudson.security.UserMayOrMayNotExistException;import hudson.util.Scrambler;+import jenkins.model.Jenkins;import org.acegisecurity.context.SecurityContext;import org.acegisecurity.context.SecurityContextHolder;+import org.acegisecurity.userdetails.UsernameNotFoundException;+import org.springframework.dao.DataAccessException;import javax.servlet.Filter;import javax.servlet.FilterChain;@@ -41,6 +45,17 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterChaint idx = uidpassword.indexOf(':');if (idx >= 0) {String username = uidpassword.substring(0, idx);+try {+Jenkins.getInstance().getSecurityRealm().loadUserByUsername(username);+} catch (UserMayOrMayNotExistException x) {+// OK, give them the benefit of the doubt.+} catch (UsernameNotFoundException x) {+// Not/no longer a user; deny the API token. (But do not leak the information that this happened.)+chain.doFilter(request, response);+return;+} catch (DataAccessException x) {+throw new ServletException(x);+}String password = uidpassword.substring(idx+1);// attempt to authenticate as API token
References
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2014-2062
- WEBhttps://github.com/jenkinsci/jenkins/commit/5548b5220cfd496831b5721124189ff18fbb12a3
- PACKAGEhttps://github.com/jenkinsci/jenkins
- WEBhttps://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-14
- WEBhttp://www.openwall.com/lists/oss-security/2014/02/21/2