Coordinated Disclosure Timeline
- 2023-05-18: Issue reported to the Jenkins Security Team
- 2023-06-14: Advisory published
Summary
A stored Cross-Site Scripting (XSS) vulnerability was found in the template-workflows-plugin project.
Product
Template Workflows plugin
Tested Version
Details
Stored Cross-Site Scripting (GHSL-2023-115)
The TemplatesWorkflowJob#refresh method crafts an HTML response using user-controlled data such as the job’s name:
build.append("<tr><td></td><td><div id =\"").append(j.getName()).append(".validation\" style=\"visibility: hidden;\"></div></td></tr>");
The response from the AJAX handler is then processed by the following function, which inserts it into the DOM as HTML using innerHTML:
function refresh() {
var foo = <st:bind value="${it}"/>
foo.refresh(document.getElementById('template.templateName').value, function(t) {
document.getElementById('loading').style.visibility = 'hidden';
document.getElementById('msg').innerHTML = t.responseObject().msg;
})
}
Proof of Concept
As a user with Job create/configure permissions do the following:
- Create new
Template Workflow Jobcalledfoo - Create new Job named
"onfocus="alert(document.domain)"autofocus=" - Mark
Mark as a Building Block in a Template Workflowand assign it a name - Send the following link to the victim
http://localhost:8080/jenkins/job/foo/configure
Impact
This issue may lead to Cross-Site Scripting and, if targeted to an administrator, it can be leveraged to achieve Remote Code Execution (RCE).
CVE
- CVE-2023-35146
Resources
Credit
This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2023-115 in any communication regarding this issue.