CVE-2023-41940 - Jenkins TAP Plugin XSS Vulnerability

Jenkins TAP Plugin version 2.3 and earlier contains a stored Cross-Site Scripting (XSS) vulnerability, which can be exploited by attackers who have control over TAP (Test Anything Protocol) file contents. In this long-read post, we will discuss the details of this vulnerability (CVE-2023-41940), how attackers can exploit it, and what mitigation measures can be taken to protect Jenkins instances. In addition, we will provide code snippets, reference links, and related information.

The Vulnerability

The issue lies in Jenkins TAP Plugin not escaping TAP file contents properly, which allows an attacker to inject malicious JavaScript code into the TAP files. When these files are parsed and displayed on the Jenkins server, the malicious script gets executed, leading to stored XSS attacks. The CVE-ID assigned to this vulnerability is CVE-2023-41940. Stored XSS vulnerabilities are particularly dangerous, as they can lead to the stealing of user credentials, session tokens, and sensitive data.

Details of the exploit

To understand the exploit, let's consider the following TAP content example that triggers the vulnerability:

1..1
ok 1 - <img src=x onerror=alert(1)> # TODO

In this example, a legitimate TAP test result has been modified to include an HTML "img" element with an "onerror" event handler that executes JavaScript code to display an alert. If a Jenkins instance with a vulnerable TAP Plugin processes this file, the unescaped contents are rendered, causing the alert to be displayed when a user views the TAP test results.

Execute the Jenkins job to read and process the malicious TAP file.

5. Navigate to the job's TAP test results page and notice the alert being displayed, confirming the successful exploitation of the vulnerability.

Mitigation Measures

To protect against this vulnerability, users are advised to upgrade their Jenkins TAP Plugin to version 2.4 or later, which has addressed this issue by properly escaping TAP file contents before rendering them in the browser. This essentially neutralizes the malicious JavaScript and prevents it from executing in the user's browser.

Here is the related notice from Jenkins Security Advisory

https://www.jenkins.io/security/advisory/2022-02-22/#SECURITY-919

Conclusion

Stored XSS vulnerabilities such as the one described in this post (CVE-2023-41940) can have critical consequences for applications and their users. It is essential to stay up-to-date with security patches and ensure that user-supplied content, including TAP files, is escaped and rendered safely in web applications. By keeping the Jenkins TAP Plugin updated and adhering to security best practices, Jenkins users can mitigate the risk of this vulnerability and protect their environments from potential attacks.

Timeline

Published on: 09/06/2023 13:15:11 UTC
Last modified on: 09/11/2023 17:49:38 UTC