Exposure of Sensitive Information to an Unauthorized Actor in Jenkins
Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.
Affected versions
0 → fixed in 2.176.42.177 → fixed in 2.197
Details
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the "Cookie" HTTP request header on the /whoAmI/ URL, allowing attackers exploiting another XSS vulnerability to obtain the HTTP session cookie despite it being marked HttpOnly.
The fix
[SECURITY-1505]
core/src/main/resources/hudson/security/WhoAmI/index.jelly+20 −10
@@ -74,18 +74,28 @@ THE SOFTWARE.<h2>Request Headers</h2><table><j:forEach var="n" items="${request.getHeaderNames()}">-<j:set var="values" value="${h.getRequestHeaders(n)}"/>-<tr>-<td rowspan="${values.size()}">${n}</td>-<td>-${values[0]}-</td>-</tr>-<j:forEach var="v" items="${values.subList(1,values.size())}">+<j:if test="${n.equalsIgnoreCase('Cookie')}"><tr>-<td>${v}</td>+<td rowspan="1">${n}</td>+<td>+<i>(redacted for security reasons)</i>+</td></tr>-</j:forEach>+</j:if>+<j:if test="${!n.equalsIgnoreCase('Cookie')}">+<j:set var="values" value="${h.getRequestHeaders(n)}"/>+<tr>+<td rowspan="${values.size()}">${n}</td>+<td>+${values[0]}+</td>+</tr>+<j:forEach var="v" items="${values.subList(1,values.size())}">+<tr>+<td>${v}</td>+</tr>+</j:forEach>+</j:if></j:forEach></table></l:main-panel>