CVE-2024-52552
📋 TL;DR
The Jenkins Authorize Project Plugin 1.7.2 and earlier contains a stored cross-site scripting (XSS) vulnerability where attackers with Item/Configure permission can inject malicious JavaScript into job names that gets executed when viewed in the Authorization interface. This allows attackers to perform actions as authenticated users, potentially compromising Jenkins instances. Organizations using vulnerable versions of this plugin are affected.
💻 Affected Systems
- Jenkins Authorize Project Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, create backdoor accounts, modify job configurations to execute arbitrary code, or pivot to other systems in the network.
Likely Case
Attackers with Item/Configure permission could steal session cookies, perform actions as other users, or modify job configurations to gain persistent access.
If Mitigated
With proper access controls limiting Item/Configure permissions, impact would be limited to users who already have significant access to the system.
🎯 Exploit Status
Exploitation requires Item/Configure permission. The vulnerability is in the Authorization view where job names are evaluated with JavaScript.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.3 or later
Vendor Advisory: https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3010
Restart Required: Yes
Instructions:
1. Access Jenkins web interface as administrator. 2. Navigate to Manage Jenkins > Manage Plugins. 3. Go to Available tab. 4. Search for 'Authorize Project'. 5. Check the box and click Install without restart. 6. After installation, restart Jenkins to apply the fix.
🔧 Temporary Workarounds
Restrict Item/Configure Permissions
allLimit Item/Configure permissions to only trusted administrators to reduce attack surface.
Disable Plugin Temporarily
allDisable the Authorize Project plugin if not required for operations.
Navigate to Manage Jenkins > Manage Plugins > Installed tab, find Authorize Project, click Disable
🧯 If You Can't Patch
- Implement strict access controls to limit Item/Configure permissions to essential personnel only.
- Monitor Jenkins logs for suspicious activity and implement web application firewall rules to block XSS payloads.
🔍 How to Verify
Check if Vulnerable:
Check Jenkins plugin manager for Authorize Project plugin version. If version is 1.7.2 or earlier, the system is vulnerable.Check Version:
curl -s http://jenkins-host/pluginManager/api/json?depth=1 | grep -o '"shortName":"authorize-project","version":"[^"]*"'Verify Fix Applied:
After updating, verify the Authorize Project plugin shows version 1.7.3 or later in Manage Jenkins > Manage Plugins > Installed tab.📡 Detection & Monitoring
Log Indicators:
- Unusual job name modifications containing JavaScript payloads
- Multiple failed authentication attempts from unexpected sources
Network Indicators:
- HTTP requests containing JavaScript in job name parameters to Jenkins Authorization endpoints
SIEM Query:
source="jenkins.log" AND ("authorize-project" OR "Authorization view") AND ("script" OR "javascript" OR "<script>")