CVE-2018-1000177

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in Jenkins S3 Plugin version 0.10.12 and older. Specifically, the file src/main/resources/hudson/plugins/s3/S3ArtifactsProjectAction/jobMain.jelly does not properly escape file names of uploaded files. This allows an attacker to define file names containing JavaScript that will be executed in another user's browser when that user performs certain UI actions [1].

Exploitation

An attacker must have the ability to upload files with arbitrary names to a Jenkins job using the S3 Plugin. The attacker uploads a file whose name includes malicious JavaScript. When another Jenkins user views the artifact list or performs UI actions that display uploaded file names (e.g., browsing a build's artifacts), the attacker's script executes in the victim's browser [2]. No special network position is required beyond access to the Jenkins instance as an authenticated user with upload permissions.

Impact

Successful exploitation results in stored XSS, allowing the attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, credential theft, arbitrary actions performed on behalf of the victim user, and potential compromise of the Jenkins instance. The attack impacts the confidentiality, integrity, and availability of the Jenkins environment [1].

Mitigation

Jenkins released an updated version of the S3 Plugin that properly escapes file names, as announced in the security advisory on 2018-04-16 [2]. Users should upgrade to a version newer than 0.10.12. No workaround is documented for this vulnerability. If upgrading is not possible, restricting the ability to upload files to trusted users may reduce risk.