Vendor URL: https://plugins.jenkins.io/delivery-pipeline-plugin
Versions affected: 1.0.7 (up to and including)
Systems Affected: Jenkins
Author: Viktor Gazdag viktor.gazdag[at]nccgroup[dot]trust
Advisory URL / CVE Identifier: https://jenkins.io/security/advisory/2017-11-16/
Risk: Medium – 6.1 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) (Reflected Cross-Site Scripting)
Summary
The Delivery Pipeline Plugin is a Jenkins plugin that helps visualizing the delivery/build pipelines. A parameter of the plugin is vulnerable to reflected cross-site scripting and depending on the configuration, can allow authenticated or unauthenticated attackers to inject JavaScript code into the webpage.
Location
The parameter called ‘fullscreen’ found in the Delivery Pipeline Plugin was found to be vulnerable.
Impact
The vulnerability allows authenticated or unauthenticated (depending on the configuration) attackers to inject JavaScript code, such as extraction and theft of the CSRF token called ‘crumb’ from the webpage.
Details
An example URL of the view is: http://hostname:8443/view/OMITTED-pipeline/?fullscreen=true
Basic code to show a popup window can be created with the following payload:
The following GET request and response shows an example of how the vulnerability might be exploited:
Host: xxx.xxx.xxx.xxx:8443
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: screenResolution=1920×1080; jenkins-timestamper-offset=-3600000; jenkins-timestamper=system; jenkins-timestamper-local=false; JSESSIONID.3dad5835=node0polduo6f03521qemnwxzxsuq71517.node0; screenResolution=1920×1080
Connection: close
Upgrade-Insecure-Requests: 1
The pipelineutils.updatePipelines() function in the response contains the submitted payload and will show a popup window:
Server: nginx/1.10.2
Date: Tue, 26 Sep 2017 16:51:28 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 15251
Connection: close
X-Content-Type-Options: nosniff
Expires: 0
Cache-Control: no-cache,no-store,must-revalidate
X-Hudson-Theme: default
X-Hudson: 1.395
X-Jenkins: 2.78
X-Jenkins-Session: e6f83b99
X-Frame-Options: sameorigin
X-Instance-Identity: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkMubT4QgTWD1/LNMG5xdhX7n5Gzw4NmUubl6lS21l4EWkTZt3CDn8loWsgv++j4avamvNbzV6AvKqf9SPWnSjwRFk0ndm5B8rV2wrxFiQqxx83TGiQ3m0Xj8+PYBX7Vo6WgvQ7CSm/fbVK4Pn9OsVeacQffh6bROrKjW1hXP/ycEvsjKLGkLvxyrz65qe6rP9sjvjkxxRO1Dr+hbQS2PjyOS4rlpqL0pQWHfHlnxu415G4N3Iqwqt0aFu7iYtAgwa1GMO9OKwgNqGCcq2NoOg1FmLfTNC96uD0f+y+wz6kjz6aMg0jcMm4OaC6/39QdbXSWCLzrjj6zSfdIxU+oQfwIDAQAB
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
…OMITTED DATA…
“>
Recommendation
Jenkins and the plugin developers have released a new version of the plugin which should be installed: https://repo.jenkins-ci.org/releases/se/diabol/jenkins/pipeline/delivery-pipeline-plugin/1.0.8/
Vendor Communication
2017-10-24 Acknowledgement of Core and Plugin developers
2017-11-16 Patch released
Thanks to
Gabor Pilsits
About NCC Group
NCC Group is a global expert in cyber security and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cyber security.
Written by: Viktor Gazdag
