CVE-2023-41940
Description
Jenkins TAP Plugin 2.3 and earlier does not escape TAP file contents, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control TAP file contents.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins TAP Plugin 2.3 and earlier does not escape TAP file contents, allowing stored cross-site scripting (XSS) via attacker-controlled TAP files.
Vulnerability
Overview
The Jenkins TAP Plugin, up to version 2.3, fails to escape the contents of TAP (Test Anything Protocol) files when rendering them in the Jenkins UI. This leads to a stored cross-site scripting (XSS) vulnerability, as dangerous HTML or JavaScript can be injected into the plugin's output pages. The issue arises because TAP file output is included without proper sanitization, allowing attackers who can control TAP file content to execute arbitrary scripts in the context of a Jenkins user's browser session [1][3].
Exploitation
Conditions
To exploit this vulnerability, an attacker must be able to control the contents of a TAP file processed by the Jenkins instance. This could be achieved through various means, such as by committing malicious TAP files to a repository that Jenkins monitors, or by directly uploading crafted TAP artifacts. No authentication is specifically required beyond the ability to place files; however, in typical Jenkins setups, such actions are limited to users with certain permissions (e.g., Job/Configure or Job/Build). The TAP Plugin does not enforce any validation or encoding on the file contents before displaying them, allowing the XSS payload to be delivered when a Jenkins user views test results [2].
Impact
If exploited, the stored XSS vulnerability allows an attacker to execute arbitrary JavaScript in the victim's browser session. This can lead to session hijacking, credential theft, and unauthorized actions performed on behalf of the victim, including modification of Jenkins jobs, configuration, and access to sensitive build data. The vulnerability is classified as High severity due to the potential for significant impact on Jenkins confidentiality, integrity, and availability [1][3].
Mitigation
As of the advisory publication (2023-09-06), no fixed version of the TAP Plugin has been released. The plugin is listed among unresolved security issues, and users are advised to monitor the plugin's update channel for a patched version. In the absence of a patch, administrators should restrict who can supply TAP files to Jenkins and consider disabling the plugin if not in use, or apply a workaround by using a Content Security Policy (CSP) header to mitigate XSS risk [1][2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.tap4j:tapMaven | <= 2.3 | — |
Affected products
3- Range: <=2.3
- Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-3vcr-579j-4x48ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-41940ghsaADVISORY
- www.jenkins.io/security/advisory/2023-09-06/ghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2023/09/06/9ghsaWEB
News mentions
1- Jenkins Security Advisory 2023-09-06Jenkins Security Advisories · Sep 6, 2023