CVE-2018-1000202

Vulnerability

The Jenkins Groovy Postbuild Plugin version 2.3.1 and older contains a persisted cross-site scripting (XSS) vulnerability in various Jelly files. This allows an attacker who can control build badge content to inject arbitrary JavaScript code. The malicious script executes in another user's browser when that user performs certain UI actions, such as viewing the build page [1][2].

Exploitation

An attacker needs the ability to control build badge content, which typically requires at least Job/Configure permission or similar to modify build badges. The attacker injects JavaScript into the badge content. When another user (e.g., a developer or administrator) interacts with the build page (e.g., hovering over or clicking the badge), the injected script executes in the context of the Jenkins session.

Impact

Successful exploitation leads to execution of arbitrary JavaScript in the victim's browser, potentially allowing the attacker to perform actions on behalf of the victim, such as accessing sensitive data, performing administrative actions, or escalating privileges within Jenkins. The attack is persisted, meaning the malicious badge content remains active until removed [1][2].

Mitigation

The Jenkins Groovy Postbuild Plugin should be upgraded to version 2.3.2 or later to fix this vulnerability. The Jenkins Security Advisory 2018-05-09 [1] provides details and links to the updated plugin. There is no known workaround besides upgrading.