Jenkins Cross-site Scripting vulnerability in project naming strategy
Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.
Affected versions
0 → fixed in 2.235.42.236 → fixed in 2.252
Details
Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the project naming strategy description, that is displayed on item creation.\n\nThis results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Overall/Manage permission.\n\nJenkins 2.252, LTS 2.235.4 escapes the project naming strategy description.
The fix
[SECURITY-1957]
war/src/main/js/add-item.js+1 −1
@@ -59,7 +59,7 @@ $.when(getItems()).done(function(data) {function activateValidationMessage(messageId, context, message) {if (message !== undefined && message !== '') {-$(messageId, context).html('» ' + message);+$(messageId, context).text('» ' + message);}cleanValidationMessages(context);hideInputHelp(context);
References
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-2230
- WEBhttps://github.com/jenkinsci/jenkins/commit/e49f690939596acbc9a1be64128b2c7eaf91a6db
- PACKAGEhttps://github.com/jenkinsci/jenkins
- WEBhttps://jenkins.io/security/advisory/2020-08-12/#SECURITY-1957
- WEBhttp://packetstormsecurity.com/files/160443/Jenkins-2.235.3-Cross-Site-Scripting.html
- WEBhttp://www.openwall.com/lists/oss-security/2020/08/12/4