CVE-2023-4303 - Exploiting HTML Injection in Jenkins Fortify Plugin (22.1.38 and Earlier)

A critical security vulnerability—tracked as CVE-2023-4303—was discovered in the Jenkins Fortify Plugin, versions 22.1.38 and earlier. This bug allows attackers to inject malicious HTML into Jenkins pages by exploiting improper error message handling in a form validation method. This vulnerability is easy to overlook, but its consequences can be serious, especially if Jenkins is exposed to untrusted users or networks.

This post will break down the vulnerability in simple terms, show how the bug works using code snippets, provide an example exploit, and point you to the official references.

What Is Jenkins Fortify Plugin?

Jenkins is a popular open-source automation server, widely used for continuous integration (CI) and continuous delivery (CD). The Fortify Plugin integrates Fortify Static Code Analyzer results into Jenkins builds.

The Problem: HTML Injection via Unescaped Error Messages

In the plugin versions 22.1.38 and below, form validation methods did not properly sanitize or escape error messages. If attackers can control part of the input that ends up in an error message, they can inject HTML (and even JavaScript) into the Jenkins web interface.

Why is this dangerous?

- HTML/JavaScript injection can hijack user sessions, deface the interface, or trick users into doing something dangerous (phishing).

Let’s look at what might cause this issue. Imagine a form validation method like this

public FormValidation doCheckSomeUserInput(@QueryParameter String value) {
    if (value.contains("<script>")) {
        return FormValidation.error("Invalid input: " + value);
    }
    return FormValidation.ok();
}

Here’s the problem:
If a user submits <b>not allowed</b> as their input, the error message shown in the Jenkins web UI will be:

Invalid input: <b>not allowed</b>

Since the message is not escaped, Jenkins will render the HTML tags, making "not allowed" appear bold. If the attacker manages to include <script> tags, arbitrary JavaScript can be executed in the browser.

The attacker has access to any configuration form using the vulnerable plugin.

2. They submit malicious HTML / JavaScript in a parameter field.

Let's say a plugin configuration field is vulnerable. An attacker could enter the following as input

<script>alert('Jenkins XSS!')</script>

When validation fails, the error message displayed will include this input, and the browser will execute the script:

return FormValidation.error("Input is invalid: " + value);
// If value = "<script>alert('Jenkins XSS!')</script>", 
// The popup will trigger in any administrator's browser who views this page.

Official References

- Jenkins Security Advisory: SECURITY-3248 / CVE-2023-4303
- CVE Details: NVD - CVE-2023-4303
- Fortify Plugin: Jenkins Plugins Page

Conclusion

CVE-2023-4303 is a straight-forward but dangerous vulnerability: it shows the critical importance of escaping user input in web applications, especially in admin-facing tools like Jenkins. If you use the Fortify plugin, make sure your version is up to date, and always follow best practices for input validation and output escaping.

Stay safe—always patch early, and test your Jenkins setup for similar issues!


*This article is written exclusively for educational purposes. Never use this information to attack systems you do not own or have explicit permission to test.*

Timeline

Published on: 08/21/2023 23:15:00 UTC
Last modified on: 08/24/2023 21:35:00 UTC