CVE-2020-2222 in Jenkins
Summary
by MITRE
Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the job name in the 'Keep this build forever' badge tooltip, resulting in a stored cross-site scripting vulnerability.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 11/03/2020
This vulnerability exists in Jenkins versions prior to 2.244 and LTS 2.235.1 where the job name parameter is not properly escaped in the tooltip of the 'Keep this build forever' badge. The flaw allows attackers to store malicious JavaScript code within job names, which then executes when users view the tooltip containing the unescaped job name. This represents a classic stored cross-site scripting vulnerability that falls under CWE-79, which specifically addresses cross-site scripting flaws. The vulnerability is particularly concerning because it leverages the badge tooltip functionality that users frequently interact with, making it an ideal vector for executing malicious code in the context of the victim's browser session.
The technical implementation of this vulnerability exploits the lack of proper input sanitization and output escaping in Jenkins's user interface rendering logic. When administrators or users create jobs with malicious payloads in job names, these payloads are stored in the system and subsequently rendered in tooltips without proper HTML escaping. The vulnerability occurs during the tooltip generation process where the job name is directly embedded into HTML attributes without appropriate sanitization, creating an opening for attackers to inject malicious scripts that execute when the tooltip is displayed. This type of vulnerability is classified under the ATT&CK technique T1566.001 for credential access through phishing and can be leveraged for privilege escalation if attackers can manipulate build configurations or access sensitive information through the victim's browser session.
The operational impact of this vulnerability extends beyond simple script execution as it can enable attackers to perform session hijacking, steal sensitive credentials, or gain unauthorized access to Jenkins instances. When users with appropriate privileges view tooltips containing malicious job names, their browsers execute the stored scripts, potentially allowing attackers to access the Jenkins web interface with elevated privileges. This vulnerability can be particularly dangerous in enterprise environments where Jenkins serves as a central automation platform with access to critical build systems and deployment pipelines. The stored nature of the XSS means that once a malicious job name is created, the vulnerability persists until the job is deleted or the system is patched, making it a persistent threat that can affect multiple users over extended periods.
Mitigation strategies for this vulnerability involve immediate patching of Jenkins installations to versions 2.244 or later for regular releases and 2.235.1 or later for LTS releases. Organizations should also implement input validation and output sanitization measures to prevent the storage of potentially malicious content in job names and other user-controlled fields. Regular security scanning of Jenkins instances and monitoring for unauthorized job creation activities can help detect exploitation attempts. Additionally, implementing proper access controls and privilege separation can limit the damage that can be caused by successful exploitation, ensuring that even if an attacker gains access through this vulnerability, they cannot escalate privileges beyond their initial access level. Security teams should also consider implementing web application firewalls and content security policies to provide additional layers of protection against such attacks.