CVE-2023-41944

Vulnerability

Overview Jenkins AWS CodeCommit Trigger Plugin versions 3.0.12 and earlier contain an HTML injection vulnerability. The plugin does not escape the queue name parameter passed to a form validation URL when rendering an error message, allowing an attacker to inject arbitrary HTML or JavaScript into the Jenkins interface [1][2].

Exploitation

This issue can be exploited by an attacker who can cause the plugin to validate a crafted queue name. The injected payload is rendered in an error message when the form validation fails, without requiring authentication beyond normal Jenkins usage. The vulnerability resides in the form validation endpoint, meaning any user with access to trigger the validation (e.g., by configuring the plugin) can exploit it [1][3].

Impact

Successful exploitation results in HTML injection, which can be leveraged to perform actions such as redirecting users to malicious sites, stealing sensitive session cookies, or otherwise compromising the user's browser session within the Jenkins context. The vulnerability does not directly affect the Jenkins controller or build agents, but can lead to further attacks if combined with other issues [1][2].

Mitigation

As of the advisory date (2023-09-06), the plugin remains unresolved with no patched version available [1][2]. Users are advised to either restrict access to the plugin's configuration or consider disabling the plugin if not essential. No workaround is provided by the vendor [1][2].