CVE-2023-40346: Jenkins Shortcut Job Plugin XSS Vulnerability and How to Fix It

In this post, we'll discuss a stored cross-site scripting (XSS) vulnerability (CVE-2023-40346) found in the Jenkins Shortcut Job Plugin version .4 and earlier. This vulnerability allows attackers who can configure shortcut jobs to exploit the lack of escaping in the shortcut redirection URL. We'll provide all the necessary details, including code snippets and links to original references, to help you better understand this exploit and how to mitigate it.

CVE Details

CVE ID: CVE-2023-40346
Impact: Stored Cross-Site Scripting (XSS)
Affected Versions: Jenkins Shortcut Job Plugin .4 and earlier
Fixed Version: Jenkins Shortcut Job Plugin .5

Exploit Details

The Jenkins Shortcut Job Plugin helps create shortcut URLs for jobs. However, the developers of this plugin failed to properly escape the shortcut redirection URL, leading to a stored XSS vulnerability. Attackers with the rights to configure shortcut jobs can inject malicious JavaScript code that will be executed when users visit the shortcut URL.

Here's a sample code snippet that demonstrates the issue in the ShortcutLinkAction.java class

String getUrlName(Jenkins job) {
    String url = job.getAbsoluteUrl() + "redirect?tool=target=" + getJob().getName();
    return url;
}

Notice that the getJob().getName() is not being escaped, allowing an attacker to inject JavaScript code.

Exploit Scenario

Assume an attacker, Eve, has the rights to configure shortcut jobs in a Jenkins instance. Eve creates a shortcut job with the name jobName"><script>alert(document.cookie)</script>. A legitimate user, Bob, visits the created shortcut URL. The malicious script injected by Eve will be executed, and Bob's browser may expose sensitive data such as session cookies.

Fix:
To fix this vulnerability, the developers must properly escape the job name before appending it to the shortcut redirection URL. This can be achieved using the StringEscapeUtils.escapeHtml4() method.

Here's the fixed code snippet

String getUrlName(Jenkins job) {
    String escapedJobName = StringEscapeUtils.escapeHtml4(getJob().getName());
    String url = job.getAbsoluteUrl() + "redirect?tool=target=" + escapedJobName;
    return url;
}

Note: Make sure to import the org.apache.commons.lang.StringEscapeUtils class to use the escapeHtml4() method. Include this dependency in your pom.xml if not already present:

<!-- https://mvnrepository.com/artifact/org.apache.commons/commons-lang3/3.12. -->
<dependency>
    <groupId>org.apache.commons</groupId>
    <artifactId>commons-lang3</artifactId>
    <version>3.12.</version>
</dependency>

Update to the latest plugin version (.5) to ensure that your Jenkins instance is no longer vulnerable.

Original References

- Jenkins Security Advisory 2023-05-22
- Jenkins Shortcut Job Plugin Github Repository

Conclusion

In conclusion, we've discussed the CVE-2023-40346 stored cross-site scripting vulnerability that affects the Jenkins Shortcut Job Plugin version .4 and earlier. We provided code snippets to demonstrate the faulty code and its fix, as well as links to the original references. Ensuring the use of the latest plugin version (.5) will help protect your Jenkins instance from this exploit. Always keep your software up-to-date and follow security best practices to prevent or mitigate exploitation.

Timeline

Published on: 08/16/2023 15:15:00 UTC
Last modified on: 08/18/2023 20:00:00 UTC