CVE-2024-28156

Vulnerability

Overview Jenkins Build Monitor View Plugin version 1.14-860.vd06ef2568b_3f and earlier does not properly escape user-provided Build Monitor View names, leading to a stored cross-site scripting (XSS) vulnerability [1]. The plugin stores the view name without sanitization and subsequently renders it in the Jenkins UI, allowing malicious script content to execute in the context of other users' browsers [2].

Attack

Vector and Requirements To exploit this vulnerability, an attacker must possess the ability to configure Build Monitor Views within Jenkins [1]. This typically requires at least Item/Configure permission on a job or view. The attacker can craft a view name containing malicious JavaScript, which will then be stored and served to any user who views the Build Monitor page. No additional user interaction is required beyond viewing the affected dashboard [2][3].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser session. This can lead to session hijacking, credential theft, arbitrary actions performed on behalf of the victim, and potential compromise of the Jenkins controller if the victim has administrative privileges [1][3]. Because the XSS is stored, the attack persists and affects all users who access the compromised view.

Mitigation and

Status As of the Jenkins Security Advisory published on March 6, 2024, no official fix for this vulnerability was available [1]. The plugin is listed among those with unresolved security issues at that time [2]. Users are advised to restrict permissions to configure Build Monitor Views to trusted users only and monitor for future updates that will address this flaw.