CVE-2023-27898: Jenkins XSS Vulnerability in Plugin Incompatibility Error Messages

---

Introduction

Security researchers have identified a stored cross-site scripting (XSS) vulnerability (CVE-2023-27898) in Jenkins. This vulnerability affects Jenkins versions 2.270 through 2.393 (both inclusive) and LTS (Long-Term Support) versions 2.277.1 through 2.375.3 (both inclusive). By exploiting this vulnerability, attackers can execute malicious code on the victim's browser if they are able to provide plugins to the configured update sites and have the error message shown by the Jenkins instances. In this post, we will take a deep dive into the vulnerability, explore its impact, and provide some recommendations for mitigating the risk.

Exploit Details

The vulnerability stems from the fact that Jenkins does not escape the Jenkins version a plugin depends on when rendering the error message stating its incompatibility with the current version of Jenkins. As a result, this opens up an XSS vulnerability.

To understand the issue better, let's look at a code snippet from Jenkins where the error message is generated:

public String getWhy() {
    return Jenkins.VERSION.equals(requiredCore)
        ? "Dependency on Jenkins core " + Jenkins.VERSION + " is too new."
        : "This Jenkins " + Jenkins.VERSION + " is incompatible with plugin " + plugin.getDisplayName() + " depending on Jenkins " + requiredCore;
}

In the above code snippet, we can see that the Jenkins version is not escaped when rendered. Due to this, an attacker can potentially inject malicious JavaScript code into the plugin's required version that will be executed when the error message is displayed.

`

2.277.1'>alert('XSS')

`

2. Victim (Jenkins administrator) installs the malicious plugin, causing the incompatibility error message to be displayed.

Original References

The Jenkins security advisory on this vulnerability can be found here: Jenkins Security Advisory 2023-01-18

The CVE details can be found here: CVE-2023-27898

Mitigation

To mitigate this vulnerability, users are advised to update their Jenkins instances to the latest available version or perform the following steps:

Upgrade to Jenkins 2.394 or LTS 2.376.1, which contain the fixes for this vulnerability.

2. If upgrading to the latest versions is not possible, you can consider implementing the following workaround:
 
  - Configure your Jenkins instance to trust update sites run by your organization or other trusted parties.
 
  - Manually review plugin updates before installing them, ensuring that the required Jenkins version does not contain any malicious payloads.

Conclusion

It is crucial for Jenkins users to be aware of this vulnerability and take the necessary steps to protect their instances. By upgrading to the latest Jenkins version or implementing the recommended workarounds, users can reduce the risk of falling victim to this stored XSS vulnerability.

Timeline

Published on: 03/10/2023 21:15:00 UTC
Last modified on: 03/16/2023 15:40:00 UTC