CVE-2023-40350 - Jenkins Docker Swarm Plugin XSS Vulnerability Explained

In August 2023, a critical security flaw (CVE-2023-40350) was discovered in the Jenkins Docker Swarm Plugin. If you use Jenkins with Docker Swarm and haven’t heard about this issue, keep reading. I’ll explain exactly what happened, show you how it works, and give you simple advice to stay safe.

What Is CVE-2023-40350?

CVE-2023-40350 is a *stored cross-site scripting (XSS)* vulnerability found in Jenkins’ Docker Swarm Plugin, version 1.11 and earlier.

Anyone using Jenkins with Docker Swarm Plugin version 1.11 or earlier.

- If a Docker remote API sends manipulated responses, a malicious actor could inject malicious JavaScript that’s stored and then rendered in Jenkins' web UI.

These values go straight into the HTML seen on the Jenkins Swarm Dashboard.

- So if an attacker can control part of the response returned by Docker (e.g., container names, IDs), they can sneak in JavaScript code.
- Next time an admin or user opens the Jenkins dashboard, the code runs in their browser—bad news.

The Vulnerability in Detail

When Jenkins admins look at their Swarm Dashboard, details like container names, image names, labels, etc., are displayed. Normally, unsafe characters like < or > should be escaped so browsers don’t interpret them as real HTML or JavaScript.

That means if a Docker container was renamed or labeled with something like

<script>alert('XSS')</script>

…it would be rendered directly by the browser. If an attacker controls Docker or can influence its metadata, they can attack your Jenkins users.

Simple Proof-Of-Concept (PoC) Exploit

Here’s how an attacker could pull off the stored XSS.

Step 1: Create a Docker container with a malicious name

docker run --name "<script>alert('XSS')</script>" nginx:alpine

or for labels

docker run --label "owner=<img src=x onerror=alert('XSS')>" nginx:alpine

Step 2: Jenkins (via Docker Swarm Plugin) queries Docker and gets all the info, including this nasty container name.

Step 3: Admin opens the Swarm Dashboard page in Jenkins.

Result: the alert('XSS') script runs inside their browser session! An actual attack can be way worse: session stealing, credential theft, or triggering admin actions.

Here’s a very simplified snippet to show what went wrong, not the real source code

// BAD: Unescaped Docker-supplied values used directly in HTML
out.println("<td>" + dockerInfo.get("containerName") + "</td>");

This code should be escaping HTML special characters to prevent XSS. But it doesn’t.

How To Fix

Upgrade the plugin! The Jenkins maintainers fixed it in version 1.12.

Fixed code would look like

// GOOD: Properly escape values before inserting into web pages
out.println("<td>" + Util.escape(dockerInfo.get("containerName")) + "</td>");

References

- Jenkins Security Advisory 2023-08-16
- CVE-2023-40350 @ NVD
- Docker Swarm Jenkins Plugin
- Jenkins Plugin Security Best Practices

Final Thoughts

If you run Jenkins and use Docker Swarm, upgrade your plugins NOW. Stored XSS can lead to full Jenkins compromise, not just annoyance. Any attacker who controls Docker responses can potentially inject code into your most trusted admin interface.

Don’t wait for a real attack—patch today!

If you liked this post and want more simple breakdowns of real security flaws, let me know what you want explained next!

Timeline

Published on: 08/16/2023 15:15:00 UTC
Last modified on: 08/18/2023 19:56:00 UTC