CVE-2024-28157
📋 TL;DR
The Jenkins GitBucket Plugin 0.8 and earlier contains a stored cross-site scripting (XSS) vulnerability where GitBucket URLs displayed on build views are not properly sanitized. Attackers with permission to configure jobs can inject malicious scripts that execute when users view those build pages. This affects Jenkins instances using the vulnerable GitBucket Plugin.
💻 Affected Systems
- Jenkins GitBucket Plugin
📦 What is this software?
Gitbucket by Jenkins
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, take over Jenkins instances, pivot to internal systems, or deploy malware to developers' machines through malicious scripts.
Likely Case
Attackers with job configuration access could steal session cookies, perform actions as authenticated users, or deface build pages with malicious content.
If Mitigated
With proper access controls limiting who can configure jobs, the attack surface is reduced, though authenticated users could still exploit the vulnerability.
🎯 Exploit Status
Exploitation requires authenticated access with job configuration permissions. The vulnerability is straightforward to exploit once an attacker has the necessary access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to GitBucket Plugin 0.9 or later
Vendor Advisory: https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3249
Restart Required: Yes
Instructions:
1. Navigate to Jenkins Manage Jenkins > Manage Plugins > Available tab. 2. Search for 'GitBucket Plugin'. 3. Check the box and click 'Install without restart' or 'Download now and install after restart'. 4. Restart Jenkins if required.
🔧 Temporary Workarounds
Remove vulnerable plugin
allUninstall the GitBucket Plugin if not required
java -jar jenkins-cli.jar -s http://jenkins-url/ delete-plugin gitbucket
Restrict job configuration permissions
allLimit who can configure jobs to trusted administrators only
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to mitigate XSS impact
- Monitor for suspicious job configuration changes and review GitBucket URL entries
🔍 How to Verify
Check if Vulnerable:
Check Jenkins plugin manager for GitBucket Plugin version. If version is 0.8 or earlier, the instance is vulnerable.Check Version:
Check via Jenkins web UI: Manage Jenkins > Manage Plugins > Installed tab, or via CLI: java -jar jenkins-cli.jar -s http://jenkins-url/ list-plugins | grep gitbucketVerify Fix Applied:
Verify GitBucket Plugin version is 0.9 or later in Jenkins plugin manager.📡 Detection & Monitoring
Log Indicators:
- Unusual job configuration changes
- Suspicious GitBucket URL entries containing script tags or JavaScript
Network Indicators:
- Outbound connections to unexpected domains from Jenkins server
SIEM Query:
source="jenkins.log" AND ("gitbucket" AND ("script" OR "javascript" OR "onerror" OR "onload"))