CVE-2022-41239

Vulnerability

Jenkins DotCi Plugin versions 2.40.00 and earlier fail to escape the GitHub user name parameter when displaying commit notifications in the build cause. This improper handling allows an attacker to inject arbitrary HTML and JavaScript into the Jenkins UI, leading to a stored cross-site scripting (XSS) vulnerability [1][2].

Exploitation

An attacker with the ability to set their GitHub username to a malicious value (e.g., by creating a commit with a crafted author name) can trigger the XSS. When DotCi processes the commit notification and displays it in the build cause, the malicious script executes in the context of users viewing the build information. No special privileges within Jenkins are required beyond the ability to contribute to a repository monitored by DotCi [1].

Impact

Stored XSS allows the attacker to execute arbitrary JavaScript in the browsers of Jenkins users, potentially stealing session cookies, performing actions on behalf of the victim, or defacing the Jenkins interface. The vulnerability is rated high severity due to the ease of exploitation and potential for widespread impact [1][2].

Mitigation

As of the initial advisory, the Jenkins security team reported that the plugin maintainer had not provided a fix. Users are advised to stop using the DotCi plugin or apply workarounds if available. The plugin may be suspended from the Jenkins update site as per policy for unresolved vulnerabilities [3]. No patched version has been released; the latest code on the GitHub repository still contains the vulnerable code [4].