Stored XSS vulnerability in Build Monitor View Plugin
hunter86bg opened this issue ยท 4 comments
Jenkins and plugins versions report
Seems there is a XSS vulnerability in the Build Monitor Plugin.
Is there any mitigation or a fix planned ?
What Operating System are you using (both controller, and any agents involved in the problem)?
RHEL9
Reproduction steps
Install the build-monitor plugin
Expected Results
No XSS vulenrability
Actual Results
XSS vulnerability is affecting the plugin.
Anything else?
No response
Are you interested in contributing a fix?
No response
Security advisory: https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3280 (CVE-2024-28156)
This plugin is installed on 5% of all Jenkins instances, would be great to close this vulnerability!
Security advisory: https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3280 (CVE-2024-28156)
This plugin is installed on 5% of all Jenkins instances, would be great to close this vulnerability!
The CVE is not clear and no PoC how the XSS work. I have take a look on this plugin code, it well written and it should be easy to fix. But I not sure where to patch unless I found the PoC of CVE-2024-28156
Vulnerability report claims that something is not escaped here
- Create Build Monitor View name with HTML content. You cannot do that as Jenkins complains about < and > characters.
- Modify Build Monitor View title to add HTML content. It get's properly escaped.
- Create Jenkins job with HTML content in its name and add that job to Build Monitor View. You cannot do that as Jenkins complains about < and > characters.
Maybe this is a false positive because audit tool doesn't take into account AngularJS syntax?
Not sure who to ping here. @daniel-beck and @basil seems are the only with recent commits in this repo.
The CVE is not clear and no PoC how the XSS work.
We do not publicly provide PoCs for any of our issues except as required to implement test coverage of fixes. Hence, the only public information is what we think administrators need to know to decide their continued use of the plugin.
We provide steps to reproduce (including, where known, culprit code locations) to maintainers. In this case, the plugin appears unmaintained since 2021, and the maintainers were unresponsive when we tried to contact them.
Vulnerability report claims that something is not escaped here
It doesn't. That's the job name, not the view name.
Maybe this is a false positive because audit tool doesn't take into account AngularJS syntax?
We do not publish security advisories for unconfirmed vulnerabilities except in very unusual circumstances. Basic XSS issues do not qualify for that exception.
Anyway, #951 addresses the issue. I recommend you install the PR build if you're concerned about it. The security warning remains (and needs to be manually disabled in Jenkins config), as it's purely based on the version.