Published: Summer 2024
Severity: Medium
Affected software: Jenkins AWS CodeCommit Trigger Plugin 3..12 and earlier
Jenkins is a popular automation server used for building, deploying, and automating software development. Its plugin ecosystem is massive. Sometimes, plugins introduce security problems—CVE-2023-41944 is one such case, affecting AWS CodeCommit Trigger Plugin.
Let’s break down how this bug works, show you what it looks like in code, and explain how attackers could use it.
What is CVE-2023-41944?
In Jenkins AWS CodeCommit Trigger Plugin before version 3..13, a user-provided value (queue name) is inserted into an HTML page without proper escaping. Whenever the “queue name” is checked/validated via the plugin’s form, an error message is rendered that includes this value. If someone enters HTML or JavaScript code instead of a plain text queue name, that code shows up in the browser as part of the page.
Why Does It Matter?
If an attacker can get Jenkins admins or users to visit a specially crafted link containing malicious HTML/JS in the queue name, their browser may execute unintended code. The most likely threat is stealing session cookies or CSRF tokens.
The attack is limited by the fact that you need to trick someone into visiting the crafted validation page with malicious data.
Step 1: How the plugin validates queue names
When a user sets up the plugin, there’s an input for _queue name_ (for CodeCommit events). When you enter a name, Jenkins triggers a backend validation endpoint, such as:
/job/[JobName]/descriptorByName/com.amazon.jenkins.ec2fleet.aws.AWSCodeCommitTrigger/validateQueueName?queueName=<INPUT>
Here’s what the vulnerable code (simplified) looked like in the plugin
// Vulnerable pseudo-code
public FormValidation doCheckQueueName(@QueryParameter String queueName) {
if (queueName == null || queueName.isEmpty()) {
// Unsafe: queueName is inserted raw into HTML
return FormValidation.error("Queue name '" + queueName + "' cannot be empty.");
}
// ... other checks ...
return FormValidation.ok();
}
This is unsafe: If the queueName contains "<script>alert('hacked')</script>", the error HTML will include that JavaScript *inline*.
Let’s say the attacker crafts this URL
https://jenkins.example.com/job/MyJob/descriptorByName/com.amazon.jenkins.ec2fleet.aws.AWSCodeCommitTrigger/validateQueueName?queueName=%3Cscript%3Ealert('Hacked!')%3C%2Fscript%3E
A Jenkins user who opens this URL will be shown an error message in their browser, because the queueName is empty or invalid. Because the input is NOT escaped, the JavaScript in queueName is executed in their browser.
Impact:
How to Fix
The plugin maintainers patched this in version 3..13, using HTML escaping when putting user input into the page.
Patched Code Sample
// Secure: uses escape
return FormValidation.error("Queue name '" + Util.escape(queueName) + "' cannot be empty.");
`
Jenkins Security Advisory:
https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3177
AWS CodeCommit Trigger Plugin GitHub:
https://github.com/jenkinsci/aws-codecommit-trigger-plugin
NVD entry:
https://nvd.nist.gov/vuln/detail/CVE-2023-41944
Conclusion
CVE-2023-41944 is a textbook example of why developers should always escape user input before adding it to HTML output. Even “small” plugins can open big holes.
Recommendation:
Stay safe, and remember: never trust user input!
### Want to know more about Jenkins security or other recent CVEs? Drop your queries below or check back for our next breakdown!
Timeline
Published on: 09/06/2023 13:15:00 UTC
Last modified on: 09/11/2023 18:37:00 UTC