A recent vulnerability (CVE-2023-40342) has been identified in the Jenkins Flaky Test Handler Plugin 1.2.2 and earlier versions. This vulnerability allows attackers to exploit a stored cross-site scripting (XSS) attack by not escaping JUnit test contents when displaying them on the Jenkins user interface. In this blog post, we will dive into the specifics of this vulnerability, including code snippets, original references, and exploit details.

Background

The Jenkins Flaky Test Handler Plugin is designed to identify and handle flaky tests in a Jenkins build. The plugin allows for re-running failed tests to determine whether they are "flaky" or not. However, it has a serious flaw in the way it processes and displays JUnit test contents on the Jenkins UI, potentially exposing users to stored XSS attacks.

Code Snippet

The vulnerability arises because the plugin does not properly escape JUnit test contents when it displays them on the Jenkins UI. This lack of proper escaping leaves the door open for an attacker to inject malicious code into the JUnit report file contents and subsequently execute the code whenever the file is viewed in the Jenkins UI.

Here's an example snippet of how this might look in practice

<testcase name="testExample" classname="com.example.VulnerableTest">
    <failure type="junit.framework.AssertionFailedError" message="&lt;script&gt;alert('XSS!')&lt;/script&gt;">
        <![CDATA[ java.lang.AssertionError: &lt;script&gt;alert('XSS!')&lt;/script&gt;
            at org.junit.Assert.fail(Assert.java:88)
            at com.example.VulnerableTest.testExample(VulnerableTest.java:45)
        ]]>
    </failure>
</testcase>

Here, the attacker has injected a simple JavaScript alert message (alert('XSS!')) into the <failure> element's "message" attribute. This malicious code would execute when the Jenkins UI loads the test results, showing an alert popup with the text "XSS!" to the user.

Original References

- CVE-2023-40342
- Jenkins Security Advisory

Exploit Details

The stored XSS vulnerability (CVE-2023-40342) affects Jenkins Flaky Test Handler Plugin version 1.2.2 and earlier. The exploit works by an attacker modifying JUnit report file contents and injecting malicious JavaScript code into the <failure> or <error> tags, which is then executed by the Jenkins UI when displaying the test results.

To mitigate this vulnerability, users are advised to update to the latest version of the Jenkins Flaky Test Handler Plugin, which includes a fix for this issue. The plugin maintainer has released version 1.3., which addresses the vulnerability by properly escaping JUnit test contents when shown on the Jenkins UI.

Conclusion

As a Jenkins user, it is crucial to keep all plugins up-to-date to protect against newly discovered vulnerabilities such as CVE-2023-40342. This vulnerability demonstrates the importance of properly escaping user-generated content when displaying it on a web application. Always stay vigilant and maintain a strong security posture by applying the latest updates and patches for all your software.

Timeline

Published on: 08/16/2023 15:15:00 UTC
Last modified on: 08/18/2023 20:05:00 UTC