CVE-2022-45401 - Breaking Down the Jenkins Associated Files Plugin XSS Flaw (How Attackers Can Exploit It)

---

Jenkins is used in thousands of organizations for automating software builds, tests, and deployments. With its huge ecosystem of plugins, Jenkins is a power tool for developers — but plugins can also open up critical security holes. One such bug is CVE-2022-45401, a stored cross-site scripting (XSS) flaw in the Associated Files Plugin, versions .2.1 and earlier.

In this post, I’ll unpack what went wrong, how this XSS can be exploited, and why patching is crucial. I’ll also show you code snippets for a basic proof-of-concept exploit.

What’s the CVE About?

Vulnerability: Stored XSS in Jenkins Associated Files Plugin  
Affected Versions: .2.1 and earlier  
CVE: CVE-2022-45401  
Jenkins Advisory: Jenkins Security Advisory 2022-11-15

This plugin lets Jenkins administrators upload and manage any files associated with a particular "item" (like a project or build job). Unfortunately, it doesn’t escape (sanitize) the names of the associated files before displaying them in the UI. The result: if an attacker with *Item/Configure* permissions uploads a file with a malicious name, that JavaScript executes for any user who views the job configuration.

Why Is This Bad?

- Stored XSS is far worse than reflected XSS. It stays on the server and affects everyone who views the infected page.
- Any Jenkins user with Item/Configure rights can attack others, including admins.
- If an admin gets hit, session hijacking, privilege escalation, or further compromise are all possible.

Proof-Of-Concept: Exploiting the XSS

Let’s walk through a simple exploit. You’ll need Jenkins with Associated Files Plugin ≤ .2.1, and any user with permission to configure a project/job.

Example of a payload as the filename

"><img src=x onerror=alert('XSS')>

Simulated Code Snippet (Vulnerable Rendering)

Here’s a simplified (and unsafe) pseudo-code that shows how the vulnerability works behind the scenes:

// List of associated files
for (File f : files) {
    // BAD: Not escaping file.getName()
    out.println("<li>" + f.getName() + "</li>");
}

If the file name contains malicious code, it will be injected directly into the HTML.

The Result

!alert showing XSS popup

Anyone viewing the files list will see an alert. Real attacks, of course, might steal cookies, perform actions, or inject worse stuff.

How to Fix It

Upgrade to the latest Associated Files Plugin:  
As per the Jenkins Security Advisory, update your plugin to the fixed version (.2.2 or later).

What’s the patch?

Escaping any user-controlled output (like file names) before adding it to HTML. For example, using

out.println("<li>" + Util.escape(f.getName()) + "</li>");

References & Further Reading

- Jenkins Security Advisory 2022-11-15
- NVD CVE-2022-45401 Detail
- OWASP XSS Technical Details

CVE-2022-45401 is a stored XSS in Jenkins’ Associated Files Plugin ≤ .2.1.

- Attackers with Item/Configure access can inject scripts via file names.

Fix: Update the plugin ASAP.

If you run Jenkins, always keep plugins updated, and restrict configure permissions to only those who need it. XSS may seem simple, but on a tool like Jenkins, it can be devastating.

Timeline

Published on: 11/15/2022 20:15:00 UTC
Last modified on: 11/18/2022 04:48:00 UTC