CVE-2022-28145 in Continuous Integration with Toad Edge Plugin
Summary
by MITRE • 03/29/2022
Jenkins Continuous Integration with Toad Edge Plugin 2.3 and earlier does not apply Content-Security-Policy headers to report files it serves, resulting in a stored cross-site scripting (XSS) exploitable by attackers with Item/Configure permission or otherwise able to control report contents.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/01/2022
The vulnerability identified as CVE-2022-28145 affects Jenkins Continuous Integration systems that utilize the Toad Edge Plugin version 2.3 or earlier. This issue represents a critical security flaw that undermines the integrity of web-based reporting functionalities within the Jenkins ecosystem. The vulnerability specifically targets the absence of Content-Security-Policy headers in report files served by the affected plugin, creating an environment where malicious actors can exploit stored cross-site scripting vulnerabilities.
The technical flaw stems from the plugin's failure to implement proper Content-Security-Policy headers when serving report files to users. This omission creates a pathway for attackers who possess the Item/Configure permission to inject malicious scripts into report content. The vulnerability operates under CWE-1021, which categorizes improper restriction of potentially malicious input, specifically focusing on the inadequate protection of web applications against cross-site scripting attacks. When an attacker successfully injects malicious code into report files, the script executes in the context of other users who view these reports, potentially leading to unauthorized access to sensitive information or system compromise.
The operational impact of this vulnerability extends beyond simple script execution, as it enables attackers to manipulate the Jenkins environment through stored XSS payloads. Users with Item/Configure permissions can directly influence report content, making them ideal candidates for exploitation. However, the vulnerability's reach is not limited to privileged users, as attackers who can otherwise control report contents can also leverage this weakness. The attack vector operates through the standard Jenkins reporting mechanism, where malicious scripts embedded in report files persist and execute whenever other users access these reports, creating a persistent threat that can affect multiple users over time.
Security professionals should note that this vulnerability aligns with ATT&CK technique T1211, which describes the use of external remote services for command and control activities. The compromised Jenkins environment can serve as a staging ground for further attacks or as a vector for lateral movement within the network infrastructure. Organizations utilizing Jenkins with the Toad Edge Plugin should immediately implement mitigations including plugin version updates to 2.4 or later, which contain the necessary Content-Security-Policy header implementations. Additionally, administrators should conduct comprehensive security reviews of all Jenkins plugins to identify similar vulnerabilities, particularly those that handle user-controllable content. Network segmentation and monitoring solutions should be enhanced to detect suspicious report file modifications, while regular penetration testing can help identify potential exploitation pathways within the CI/CD pipeline. The vulnerability demonstrates the critical importance of proper security headers in web applications and the necessity of maintaining up-to-date software components to prevent exploitation of known vulnerabilities in continuous integration environments.