CVE-2023-30520

Vulnerability

Overview CVE-2023-30520 is a stored cross-site scripting (XSS) vulnerability in the Jenkins Quay.io trigger Plugin, affecting versions 0.1 and earlier. The vulnerability arises because the plugin does not limit or sanitize URL schemes for repository homepage URLs submitted via Quay.io trigger webhooks. This allows an attacker to inject arbitrary JavaScript or other malicious content into the homepage URL field, which is then stored and executed in the context of users viewing the affected Jenkins interface [1][3].

Exploitation

Mechanism An attacker can exploit this by crafting a Quay.io webhook payload containing a malicious repository homepage URL with a dangerous scheme (e.g., javascript:). This payload can be submitted to a Jenkins instance that has the Quay.io trigger Plugin configured. The plugin then stores the unsanitized URL, and when a Jenkins user with sufficient permissions views the repository homepage link (e.g., in build logs or project configurations), the malicious code executes in their browser, leading to a stored XSS attack [1][3].

Impact

Successful exploitation allows the attacker to inject malicious scripts into pages viewed by Jenkins users. This can lead to session hijacking, credential theft, or arbitrary actions performed on behalf of the victim within the Jenkins context. The attack requires the ability to submit crafted webhook payloads, which may be possible if the attacker can trigger a webhook event via Quay.io (e.g., by pushing to a repository with a manipulated webhook configuration) [1][3].

Mitigation

Status As of the advisory publication date (2023-04-12), Jenkins has noted that the Quay.io trigger Plugin is among those with unresolved security issues, meaning no patched version was immediately available. Users are advised to disable or remove the plugin until an update is released, or to restrict webhook submission capabilities to trusted sources only [1][2].