Security context
Medium· 5.4GHSA-98gq-6hxg-52r6 CVE-2021-21603CWE-79Published May 24, 2022

XSS vulnerability in Jenkins notification bar

Research this vulnerability

Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.

Affected versions

0 → fixed in 2.2752.263.2 → fixed in 2.275

Details

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape notification bar response contents (typically shown after form submissions via Apply button). This results in a cross-site scripting (XSS) vulnerability exploitable by attackers able to influence notification bar contents. Jenkins 2.275, LTS 2.263.2 escapes the content shown in notification bars.

The fix

[SECURITY-1889]

Matt Sicker· Jan 11, 2021, 04:51 PM+151f5d9842160
war/src/main/webapp/scripts/hudson-behavior.js+15 1
@@ -3048,6 +3048,8 @@ var notificationBar = {
this.div.onclick = function() {
self.hide();
};
+ } else {
+ this.div.innerHTML = "";
}
},
// cancel pending auto-hide timeout
@@ -3066,7 +3068,19 @@ var notificationBar = {
show : function (text,options) {
options = options || {};
this.init();
- this.div.innerHTML = "<div style=color:"+(options.iconColor || this.defaultIconColor)+";display:inline-block;><svg viewBox='0 0 24 24' focusable='false' class='svg-icon'><use href='"+rootURL+"/images/material-icons/"+(options.icon || this.defaultIcon)+"'></use></svg></div><span> "+text+"</span>";
+ var icon = this.div.appendChild(document.createElement("div"));
+ icon.style.display = "inline-block";
+ if (options.iconColor || this.defaultIconColor) {
+ icon.style.color = options.iconColor || this.defaultIconColor;
+ }
+ var svg = icon.appendChild(document.createElementNS("http://www.w3.org/2000/svg", "svg"));
+ svg.setAttribute("viewBox", "0 0 24 24");
+ svg.setAttribute("focusable", "false");
+ svg.setAttribute("class", "svg-icon");
+ var use = svg.appendChild(document.createElementNS("http://www.w3.org/2000/svg","use"));
+ use.setAttribute("href", rootURL + "/images/material-icons/" + (options.icon || this.defaultIcon));
+ var message = this.div.appendChild(document.createElement("span"));
+ message.appendChild(document.createTextNode(text));
this.div.className=options.alertClass || this.defaultAlertClass;
this.div.classList.add("notif-alert-show");

References