Coordinated Disclosure Timeline

Summary

Multiple reflected Cross-Site Scripting (XSS) were found in the Jenkins Sonargraph integration plugin

Product

sonargraph-integration-plugin

Tested Version

5.0.1

Details

Issue 1: Reflected Cross-Site Scripting (XSS) via value query parameter (GHSL-2023-095)

The SonargraphReportBuilder#doCheckLogFile method is vulnerable to XSS since the user-controlled value query parameter is reflected in the text/html response generated by this endpoint.

        public FormValidation doCheckLogFile(@AncestorInPath final AbstractProject<?, ?> project, @QueryParameter final String value)
                throws IOException
        {
            if (project == null)
            {
                return FormValidation.ok();
            }
            final String escapedValue = Util.xmlEscape(value);
            final FilePath ws = project.getSomeWorkspace();
            if (ws == null)
            {
                return FormValidation.error("Please run build at least once to get a workspace.");
            }
            final FormValidation validateRelativePath = ws.validateRelativePath(escapedValue, false, true);
            if (validateRelativePath.kind != FormValidation.Kind.OK)
            {
                return validateRelativePath;
            }

            final FilePath logfile = new FilePath(ws, escapedValue);
            final String logfileURL = project.getAbsoluteUrl() + "ws/" + escapedValue;
            return FormValidation.okWithMarkup("Logfile is <a href='" + logfileURL + "'>" + logfile.getRemote() + "</a>");
        }

The value query parameter is escaped with the Util#xmlEscape method. However, this method is not safe for XSS protection in the context of an HTML atribute since it does not encode single or double quotes.

Proof of concept

image

Impact

This issue may lead to Cross-Site Scripting and if targeted to an administrator, it can be scaled into Remote Code Execution (RCE).

Proof of concept

image

Impact

This issue may lead to Cross-Site Scripting and if targeted to an administrator, it can be scaled into Remote Code Execution (RCE).

CVE

Resources

Credit

This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2023-095 and GHSL-2023-096 in any communication regarding this issue.