Security context
High· 8.0GHSA-9g4m-ffx6-c29g CVE-2020-2230CWE-79Published May 24, 2022

Jenkins Cross-site Scripting vulnerability in project naming strategy

Research this vulnerability

Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.

Affected versions

0 → fixed in 2.235.42.236 → fixed in 2.252

Details

Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the project naming strategy description, that is displayed on item creation.\n\nThis results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Overall/Manage permission.\n\nJenkins 2.252, LTS 2.235.4 escapes the project naming strategy description.

The fix

[SECURITY-1957]

Daniel Beck· Jul 29, 2020, 08:53 AM+11e49f690939
war/src/main/js/add-item.js+1 1
@@ -59,7 +59,7 @@ $.when(getItems()).done(function(data) {
function activateValidationMessage(messageId, context, message) {
if (message !== undefined && message !== '') {
- $(messageId, context).html('» ' + message);
+ $(messageId, context).text('» ' + message);
}
cleanValidationMessages(context);
hideInputHelp(context);

References