jenkinsci/build-monitor-plugin

Stored XSS vulnerability in Build Monitor View Plugin

hunter86bg opened this issue ยท 4 comments

hunter86bg commented

Jenkins and plugins versions report

Seems there is a XSS vulnerability in the Build Monitor Plugin.
Is there any mitigation or a fix planned ?

What Operating System are you using (both controller, and any agents involved in the problem)?

RHEL9

Reproduction steps

Install the build-monitor plugin

Expected Results

No XSS vulenrability

Actual Results

XSS vulnerability is affecting the plugin.

Anything else?

No response

Are you interested in contributing a fix?

No response

bencehornak-gls commented

Security advisory: https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3280 (CVE-2024-28156)

This plugin is installed on 5% of all Jenkins instances, would be great to close this vulnerability!

  • ๐Ÿ‘2
RobbiNespu commented

Security advisory: https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3280 (CVE-2024-28156)

This plugin is installed on 5% of all Jenkins instances, would be great to close this vulnerability!

The CVE is not clear and no PoC how the XSS work. I have take a look on this plugin code, it well written and it should be easy to fix. But I not sure where to patch unless I found the PoC of CVE-2024-28156

  • ๐Ÿ‘1
ViliusS commented

Vulnerability report claims that something is not escaped here

build-monitor-plugin/build-monitor-plugin/src/main/resources/com/smartcodeltd/jenkinsci/plugins/buildmonitor/BuildMonitorView/widgets.jelly

Lines 22 to 23 in 3f172f2

<a title="{{project.name}}"
href="{{project.url}}">{{project.name}}</a>
, but AngularJS documentation says that everything between {{ }} should be escaped automatically. I have also tried the following:

  • Create Build Monitor View name with HTML content. You cannot do that as Jenkins complains about < and > characters.
  • Modify Build Monitor View title to add HTML content. It get's properly escaped.
  • Create Jenkins job with HTML content in its name and add that job to Build Monitor View. You cannot do that as Jenkins complains about < and > characters.

Maybe this is a false positive because audit tool doesn't take into account AngularJS syntax?

Not sure who to ping here. @daniel-beck and @basil seems are the only with recent commits in this repo.

daniel-beck commented

The CVE is not clear and no PoC how the XSS work.

We do not publicly provide PoCs for any of our issues except as required to implement test coverage of fixes. Hence, the only public information is what we think administrators need to know to decide their continued use of the plugin.

We provide steps to reproduce (including, where known, culprit code locations) to maintainers. In this case, the plugin appears unmaintained since 2021, and the maintainers were unresponsive when we tried to contact them.

Vulnerability report claims that something is not escaped here

It doesn't. That's the job name, not the view name.

Maybe this is a false positive because audit tool doesn't take into account AngularJS syntax?

We do not publish security advisories for unconfirmed vulnerabilities except in very unusual circumstances. Basic XSS issues do not qualify for that exception.

Anyway, #951 addresses the issue. I recommend you install the PR build if you're concerned about it. The security warning remains (and needs to be manually disabled in Jenkins config), as it's purely based on the version.

  • ๐Ÿ‘3