CVE-2021-21618

Vulnerability

Repository Connector Plugin 2.0.2 and earlier does not escape parameter names and descriptions for past builds. This allows an attacker to inject arbitrary HTML and JavaScript into the Jenkins interface. The stored XSS occurs because the plugin does not sanitize these user-controlled inputs when displaying them in build history views [1][2].

Exploitation

To exploit this vulnerability, an attacker must have Item/Configure permission on a job. They can then create or modify build parameters with malicious scripts in the name or description fields. When other users view the past builds of that job, the malicious script executes in their browser [2]. No additional authentication is required beyond the Jenkins login with the necessary permission.

Impact

Successful exploitation allows the attacker to perform actions on behalf of the victim, such as accessing sensitive information, modifying job configurations, or performing arbitrary actions within Jenkins as the victim user. Since the XSS is stored, it affects all users who view the affected build page, including administrators [2].

Mitigation

Jenkins Repository Connector Plugin version 2.0.3 fixes this vulnerability by properly escaping parameter names and descriptions when creating new parameters [2]. Users are advised to upgrade to this version or later. There is no known workaround for earlier versions.