CVE-2023-39151 Overview
CVE-2023-39151 is a stored Cross-Site Scripting (XSS) vulnerability affecting Jenkins 2.415 and earlier versions, as well as LTS 2.401.2 and earlier. The vulnerability exists because Jenkins does not sanitize or properly encode URLs in build logs when transforming them into hyperlinks. Attackers who can control build log contents can exploit this flaw to inject malicious scripts that execute in the context of other users viewing the build logs.
Critical Impact
Attackers with the ability to influence build log contents can inject malicious JavaScript that executes when other users view build logs, potentially leading to session hijacking, credential theft, or unauthorized actions within the Jenkins environment.
Affected Products
- Jenkins 2.415 and earlier (weekly releases)
- Jenkins LTS 2.401.2 and earlier (Long Term Support)
- All Jenkins installations where build logs are viewable by users
Discovery Timeline
- 2023-07-26 - CVE-2023-39151 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-39151
Vulnerability Analysis
This stored XSS vulnerability (CWE-79) resides in Jenkins' build log rendering functionality. When Jenkins processes build logs for display, it automatically converts URL-like strings into clickable hyperlinks to improve usability. However, the URL transformation logic fails to properly sanitize or encode the URL content before embedding it in the HTML output.
An attacker who can influence build log contents—such as through malicious repository URLs, environment variables, or build parameters—can craft specially formatted strings that, when transformed into hyperlinks, result in executable JavaScript code being injected into the page. This malicious script then executes in the browsers of any users who view the affected build logs.
The vulnerability requires user interaction (viewing the build log) and low privileges to exploit, but it can affect users across different security contexts, making it particularly dangerous in multi-tenant Jenkins environments.
Root Cause
The root cause is improper input validation and output encoding in Jenkins' build log URL transformation feature. When converting text that appears to be a URL into an HTML anchor element, Jenkins fails to:
- Validate that the URL conforms to safe schemes (http/https)
- Properly encode special characters that could break out of HTML attribute context
- Sanitize JavaScript-related URL schemes or encoded payloads
This allows attackers to craft malicious payloads that bypass the URL detection logic while still being rendered as executable HTML/JavaScript.
Attack Vector
The attack is network-based and requires an authenticated user with the ability to influence build log output. Common attack vectors include:
- Injecting malicious URLs through SCM repository configurations
- Using crafted build parameters that get logged during execution
- Manipulating environment variables that appear in build output
- Exploiting pipeline scripts that log user-controllable input
When a victim (such as an administrator) views the build log containing the malicious payload, the injected JavaScript executes in their browser session with their privileges, potentially allowing the attacker to perform actions as the victim, steal session tokens, or exfiltrate sensitive information.
The vulnerability manifests in Jenkins' build log rendering logic when URLs are transformed into hyperlinks. For detailed technical analysis of the injection mechanism, refer to the Jenkins Security Advisory #SECURITY-3188.
Detection Methods for CVE-2023-39151
Indicators of Compromise
- Build logs containing unusual URL patterns with JavaScript or encoded script content
- Unexpected javascript: scheme URLs or data URIs in build output
- Build logs with HTML entities or encoded characters in URL-like strings
- User reports of unexpected browser behavior when viewing build logs
Detection Strategies
- Monitor build logs for patterns matching XSS payloads such as <script>, javascript:, or encoded variants
- Implement Content Security Policy (CSP) headers to detect and report inline script execution attempts
- Review Jenkins access logs for unusual patterns of build log access following specific builds
- Deploy browser-based XSS detection extensions for administrators accessing Jenkins
Monitoring Recommendations
- Enable Jenkins audit logging to track build log access patterns
- Configure Web Application Firewall (WAF) rules to detect XSS patterns in build outputs
- Implement centralized logging to correlate build submissions with potential malicious content
- Set up alerts for builds from untrusted sources that contain URL-like patterns in logs
How to Mitigate CVE-2023-39151
Immediate Actions Required
- Upgrade Jenkins to version 2.416 or later (weekly) or LTS 2.401.3 or later immediately
- Review recent build logs for suspicious URL patterns or encoded content
- Restrict build log viewing permissions to trusted users until patching is complete
- Consider temporarily disabling automatic URL hyperlinking if patch cannot be applied immediately
Patch Information
Jenkins has released patches addressing this vulnerability. According to the Jenkins Security Advisory #SECURITY-3188, users should upgrade to:
- Jenkins weekly: Version 2.416 or later
- Jenkins LTS: Version 2.401.3 or later
The patch implements proper URL validation and output encoding to prevent malicious content from being rendered as executable code. Organizations should prioritize this update, especially in environments where multiple users have access to build configurations or where build logs are visible to users with lower trust levels.
Workarounds
- Implement strict Content Security Policy (CSP) headers to block inline script execution
- Restrict access to build log viewing using Jenkins' authorization strategy
- Use the Script Security plugin to limit what scripts can output to build logs
- Review and sanitize build parameters and environment variables before they reach build logs
# Example: Configure Jenkins with restrictive CSP headers
# Add to jenkins.xml or startup arguments
JAVA_OPTS="-Dhudson.model.DirectoryBrowserSupport.CSP=\"default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'\""
# Verify Jenkins version after upgrade
java -jar jenkins-cli.jar -s http://localhost:8080/ version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
