CVE CyberSecurity Database News

CVE-2023-40346 - Exploiting XSS in Jenkins Shortcut Job Plugin (.4 and earlier) - Simple Explained with Code Example

Poster -

Jenkins is a popular automation server used for continuous integration and delivery (CI/CD). But sometimes, plugins can introduce security issues. Recently, a critical vulnerability was found in the Jenkins Shortcut Job Plugin, tracked as CVE-2023-40346.

In this post, we’ll break down what this vulnerability is, show you how it works with example code, and explain how attackers could exploit it. We’ll also list the important original references at the end.

What is Jenkins Shortcut Job Plugin?

The Jenkins Shortcut Job Plugin allows Jenkins users to create “shortcuts” to jobs. This makes it easier to link to jobs in reports, dashboards, or custom user interfaces.

Vulnerability Overview: Stored XSS

CVE-2023-40346 affects version .4 and all earlier versions. The plugin does not properly sanitize the “shortcut redirection URL.” This failure allows attackers to inject and store malicious JavaScript in the configuration of Jenkins jobs.

What’s XSS?

Cross-site scripting (XSS) is a way for attackers to run malicious scripts in your browser. With stored XSS, the bad code actually gets saved on the Jenkins server and is shown whenever someone views the affected page.

Step-by-Step Exploitation

1. Attacker configures a shortcut job: The attacker saves a harmful URL value (with JavaScript) in the Shortcut Job’s settings.

Malicious code gets stored: Jenkins does not escape or sanitize the value when saving.

3. Victim views the shortcut job: When someone views the job (e.g., an admin or developer), Jenkins renders the malicious code.
4. Payload executes: The JavaScript runs in the victim’s browser, which can lead to session hijacking, stealing data, or running commands as the user.

Example: Crafting the Exploit

Here’s a code snippet that shows how an attacker could set up this exploit.

Suppose the "Shortcut" parameter allows you to set a custom URL. Instead of putting a safe link, the attacker uses:

"><script>alert('XSS via CVE-2023-40346');</script>

Example in Shortcut Job Config

<shortcut>
  <url>"><script>alert('XSS via CVE-2023-40346');</script></url>
</shortcut>

- Set the Shortcut URL field to

  "><script>alert('XSS via CVE-2023-40346');</script>

Save the job

Result:  
Any user who views the shortcut page will trigger the alert box. A real attacker would use code to steal session cookies or perform malicious actions.

Proof-of-Concept Example (PoC)

If you’re a security tester with a test Jenkins instance, set up a shortcut job and use the above payload in the URL. The pop-up demonstrates a successful XSS.

Privileges: Any user who can configure shortcut jobs can set this up.

- Chained Attacks: Attackers could steal admin cookies or run actions as admins to take over Jenkins.

Upgrade: Update the Shortcut Job Plugin to the latest version (if available).

- Sanitize Inputs: Make sure any plugin or code handling URLs properly escapes them before saving or displaying.

Official References

- Jenkins Security Advisory for CVE-2023-40346
- NVD Entry - CVE-2023-40346
- Shortcut Job Plugin Page

Summary

CVE-2023-40346 is a real and exploitable stored XSS in Jenkins Shortcut Job Plugin .4 (and earlier). Attackers with permission to configure shortcut jobs can inject code that runs in the browser of others. Always keep plugins updated, practice the principle of least privilege, and sanitize all user-controlled input!

Stay safe – keep your Jenkins and plugins up to date.

Timeline

Published on: 08/16/2023 15:15:00 UTC
Last modified on: 08/18/2023 20:00:00 UTC