Miggo Logo

CVE-2024-28149: Jenkins HTML Publisher Plugin does not properly sanitize input

8

CVSS Score
3.1

Basic Information

EPSS Score
0.33812%
Published
3/6/2024
Updated
12/6/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:htmlpublishermaven>= 1.16, < 1.32.11.32.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key issues: 1) The getLegacySanitizedName function's weak sanitization allowed XSS via report names and path traversal. 2) The dir methods in HTMLAction/HTMLBuildAction checked legacy paths (using getLegacySanitizedName), enabling filesystem probing. The patch (8bf2e22) removed these legacy checks and the getLegacySanitizedName function, confirming their role in the vulnerability. The test cases (Security3301Test) demonstrate how malicious report names could bypass sanitization, further validating these functions as the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins *TML Pu*lis**r Plu*in *.** t*rou** *.** (*ot* in*lusiv*) *o*s not prop*rly s*nitiz* input, *llowin* *tt**k*rs wit* It*m/*on*i*ur* p*rmission to impl*m*nt *ross-sit* s*riptin* (XSS) *tt**ks *n* to **t*rmin* w**t**r * p*t* on t** J*nkins *ontro

Reasoning

T** vuln*r**ility st*ms *rom two k*y issu*s: *) T** **tL****yS*nitiz**N*m* *un*tion's w**k s*nitiz*tion *llow** XSS vi* r*port n*m*s *n* p*t* tr*v*rs*l. *) T** *ir m*t*o*s in *TML**tion/*TML*uil***tion ****k** l****y p*t*s (usin* **tL****yS*nitiz**N*