CVE-2024-28160
📋 TL;DR
The Jenkins iceScrum Plugin 1.1.6 and earlier contains a stored cross-site scripting (XSS) vulnerability where iceScrum project URLs displayed on build views are not properly sanitized. Attackers with permission to configure jobs can inject malicious scripts that execute when users view affected pages. This affects Jenkins instances using the vulnerable iceScrum plugin.
💻 Affected Systems
- Jenkins iceScrum Plugin
📦 What is this software?
Icescrum by Jenkins
⚠️ Risk & Real-World Impact
Worst Case
An attacker with job configuration privileges could inject malicious JavaScript that steals session cookies, performs actions as authenticated users, or redirects to phishing sites when users view build pages.
Likely Case
Attackers with job configuration access inject scripts to steal session tokens, potentially gaining administrative access to the Jenkins instance.
If Mitigated
With proper access controls limiting job configuration to trusted users only, the attack surface is significantly reduced.
🎯 Exploit Status
Exploitation requires job configuration privileges. The vulnerability is straightforward to exploit once an attacker has the necessary permissions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.1.7 or later
Vendor Advisory: https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3248
Restart Required: Yes
Instructions:
1. Update Jenkins iceScrum Plugin to version 1.1.7 or later via Jenkins Plugin Manager
2. Restart Jenkins after plugin update
3. Verify the plugin version in Manage Jenkins > Manage Plugins
🔧 Temporary Workarounds
Disable iceScrum Plugin
allTemporarily disable the vulnerable plugin until patching is possible
Navigate to Manage Jenkins > Manage Plugins > Installed
Find iceScrum Plugin and click Disable
Restrict Job Configuration Permissions
allLimit who can configure jobs to reduce attack surface
Configure Jenkins security matrix to restrict Job/Configure permissions to minimal trusted users
🧯 If You Can't Patch
- Disable the iceScrum plugin entirely
- Implement strict access controls to limit job configuration to essential personnel only
🔍 How to Verify
Check if Vulnerable:
Check iceScrum plugin version in Jenkins: Manage Jenkins > Manage Plugins > Installed tab, look for iceScrum Plugin versionCheck Version:
Check Jenkins plugin directory or use Jenkins CLI: java -jar jenkins-cli.jar -s http://jenkins-url/ list-plugins | grep iceScrumVerify Fix Applied:
Verify iceScrum plugin version is 1.1.7 or higher in Manage Jenkins > Manage Plugins📡 Detection & Monitoring
Log Indicators:
- Unusual job configuration activity
- Suspicious URL patterns in iceScrum project configurations
Network Indicators:
- Unexpected JavaScript loading from Jenkins build pages
- External script calls from Jenkins interface
SIEM Query:
source="jenkins.log" AND ("iceScrum" OR "project URL") AND ("configure" OR "update")