Bug 2268228 (CVE-2024-28150)

Summary: CVE-2024-28150 jenkins-2-plugins: Stored XSS vulnerability in HTML Publisher Plugin
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: apjagtap, asatyam, diagrawa, sabiswas
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: HTML Publisher Plugin 1.32.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in jenkins-2-plugins. The HTML Publisher Plugin 1.32 and earlier does not escape job names, report names, and index page titles shown as part of the report frame. This issue may result in a stored cross-site scripting (XSS) vulnerability that is exploitable by attackers with Item/Configure permissions.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2268252    

Description Pedro Sampaio 2024-03-06 17:37:54 UTC 
HTML Publisher Plugin 1.32 and earlier does not escape job names, report names, and index page titles shown as part of the report frame.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

HTML Publisher Plugin 1.32.1 escapes job names, report names, and index page titles when creating a new report. HTML Publisher Plugin 1.32.1 checks reports created in earlier releases for the presence of unsafe characters in the report frame, and refuses to show these frames if unsafe characters are identified.

References:

https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3302