CVE-2022-30956

Vulnerability

Jenkins Rundeck Plugin 3.6.10 and earlier does not restrict URL schemes in Rundeck webhook submissions. This allows attackers to inject arbitrary JavaScript or other active content into the Jenkins interface by submitting a crafted webhook payload. The vulnerability is stored cross-site scripting (XSS) and resides in the plugin's handling of webhook notifications from Rundeck. [1][2]

Exploitation

An attacker must be able to submit crafted Rundeck webhook payloads. No special network position or authentication is required beyond the ability to send a webhook to the Jenkins instance configured to receive such notifications. By sending a payload with a malicious URL scheme (e.g., javascript:) the attacker can inject script content that will be stored and later executed in the context of the Jenkins user interface. [1]

Impact

When a victim user accesses the Jenkins interface where the malicious webhook content is displayed, the injected script executes in the user's browser. This can lead to disclosure of sensitive information, session hijacking, or further actions within Jenkins with the victim's privileges. The impact is limited to the browser context but can be chained with other vulnerabilities for more severe consequences. [1]

Mitigation

Jenkins Rundeck Plugin 3.6.11 is the fixed version, released as part of the 2022-05-17 security advisory. Users should upgrade to 3.6.11 or later. No workarounds are described in the available references. [1][3]