Submitting as delegate for a Cisco pen-testing team
This is a vulnerability which could allow an attacker to change a logged in users credential without confirming that they are the user in question.
Headline: Jenkins credential change should require reauthentication
Platforms: Jenkins
Versions: 1.622
CWE Tags: CWE-620
Jenkins allows users to authenticate using multiple credentials including
passwords, API tokens, and SSH keys. End-users administer each of these
credentials via the user configuration page (e.g. /user/
/configure),
but this page does not require the user to reauthenticate before making a
change.
All applications must routinely accept changes to application state; however,
credential changes must be handled with the utmost care. Unlike other changes,
an insecure credential change process can allow an attacker to completely take
over a user account. For example, if an attacker temporarily gains unauthorized
access to an authenticated session, he can alter one, or more, of the user's
credentials thus allowing the attacker to access the account later. He can also
use this capability to lock the legitimate user out of the account.
Best practices dictate that applications require users to reauthenticate before
making a credential change. For example, many applications have long required
users to enter their old password and new password in order to make a password
change. To defend against the extreme consequences of such an attack, Jenkins
must also require all users to reauthenticate before accepting any credential
change.
Finally, one should note that this isn't just a theoretical security issue.
Adherence to this best practice would have fully mitigated the critical
exposure resulting from Jenkins SECURITY-180/CVE-2015-1814 (forced API token
change).
References:
http://cwe.mitre.org/data/definitions/620.html