CVE-2022-23108

Vulnerability

Jenkins Badge Plugin version 1.9 and earlier does not escape the description field and does not check for allowed protocols when creating a badge. This allows an attacker to inject arbitrary HTML and JavaScript into the badge description or use dangerous protocols like javascript: in badge links, resulting in a stored cross-site scripting (XSS) vulnerability [1][3].

Exploitation

An attacker with Item/Configure permission can create or modify a badge with a malicious description or link. The attacker can craft a badge description containing JavaScript code or set the badge link to a javascript: URI. When other users view the job or build page containing the badge, the injected script executes in the context of their Jenkins session [1][2].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the browser of any user viewing the affected badge. This can lead to session hijacking, credential theft, unauthorized actions on behalf of the victim, or defacement of Jenkins pages. The attack is stored, meaning the malicious badge persists until removed or the plugin is updated [1][3].

Mitigation

The issue is fixed in Badge Plugin version 1.9.1, released on January 12, 2022 [2]. Users should upgrade to version 1.9.1 or later. As a workaround, administrators can restrict Item/Configure permission to trusted users only. There is no other known workaround [1][4].