CVE-2024-28153 in OWASP Dependency-Check Plugin
Summary
by MITRE • 03/06/2024
Jenkins OWASP Dependency-Check Plugin 5.4.5 and earlier does not escape vulnerability metadata from Dependency-Check reports, resulting in a stored cross-site scripting (XSS) vulnerability.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/17/2025
The vulnerability identified as CVE-2024-28153 affects the Jenkins OWASP Dependency-Check Plugin version 5.4.5 and earlier, presenting a critical stored cross-site scripting flaw that can compromise user sessions and enable unauthorized actions within the Jenkins environment. This vulnerability arises from insufficient output escaping of vulnerability metadata contained within Dependency-Check reports, creating a persistent XSS vector that can be exploited by attackers who gain the ability to inject malicious content into the plugin's reporting functionality. The issue falls under CWE-79, which specifically addresses cross-site scripting vulnerabilities, and aligns with ATT&CK technique T1566.001 for initial access through web application attacks.
The technical flaw manifests when the plugin processes and displays vulnerability data from Dependency-Check reports without proper HTML escaping or sanitization of user-controllable input fields. Attackers can craft malicious dependency entries or manipulate existing reports to include script tags or other malicious payloads within vulnerability descriptions, severity indicators, or other metadata fields. When Jenkins administrators or users view these reports through the plugin interface, the unescaped content executes in their browser context, potentially stealing session cookies, redirecting to malicious sites, or performing unauthorized actions with the privileges of the affected user.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to escalate privileges within the Jenkins environment by stealing administrator sessions or manipulating build processes. Since Jenkins is often used as a central automation hub for software development pipelines, the compromise of a single user's session could provide access to sensitive build artifacts, source code repositories, or deployment configurations. The stored nature of this XSS vulnerability means that malicious payloads persist in the system until manually removed, allowing attackers to maintain access over extended periods and potentially target multiple users who view the compromised reports.
Mitigation strategies for CVE-2024-28153 should prioritize immediate patching of the OWASP Dependency-Check Plugin to version 5.4.6 or later, which contains the necessary output escaping fixes. Organizations should also implement additional security measures including input validation of dependency data, regular security scanning of Jenkins plugins, and monitoring for unusual report generation activities. Network segmentation and least-privilege access controls can help limit the potential impact if exploitation occurs, while regular security training for Jenkins administrators can help prevent social engineering attacks that might lead to report manipulation. The vulnerability demonstrates the importance of proper output escaping in web applications and highlights the need for comprehensive security testing of plugin components within continuous integration environments, particularly those handling external data feeds from security tools like Dependency-Check that may contain untrusted metadata.