CVE-2023-46659

Vulnerability

Description

Jenkins Edgewall Trac Plugin 1.13 and earlier does not properly escape the Trac website URL when displaying it on the build page. This failure to sanitize user-controllable input results in a stored cross-site scripting (XSS) vulnerability [1][2].

Exploitation

Context

Attackers must have Item/Configure permission in Jenkins to set or modify the Trac website URL for a project. No other authentication or network position is required beyond those permissions. The stored XSS triggers when any user visits the build page where the malicious URL is rendered [1][3].

Impact

Successful exploitation allows an attacker with the necessary permissions to execute arbitrary JavaScript in the context of a victim's browser session. This could lead to further actions such as performing administrative operations, viewing or modifying builds, or accessing sensitive information stored in the Jenkins environment [1][2].

Mitigation

Status

As of the advisory date (2023-10-25), no fix has been released for the Edgewall Trac Plugin. The plugin is listed among unresolved security issues in the Jenkins security advisory [1][3]. Users should restrict Item/Configure permissions to trusted individuals and monitor for a patched version. No workaround is available in the plugin itself [4].