Security context
Medium· 4.8GHSA-9m48-54pj-h248 CVE-2019-10383CWE-79Published May 24, 2022

Improper Neutralization of Input During Web Page Generation in Jenkins

Research this vulnerability

Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.

Affected versions

0 → fixed in 2.176.32.177 → fixed in 2.192

Details

A stored cross-site scripting vulnerability in Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed attackers with Overall/Administer permission to configure the update site URL to inject arbitrary HTML and JavaScript in update center web pages.

The fix

[SECURITY-1453]

Wadeck Follonier· Aug 13, 2019, 10:36 AM+44fb88530f77
core/src/main/java/hudson/model/UpdateCenter.java+4 4
@@ -1479,7 +1479,7 @@ public void run() {
if(e.getMessage().contains("Connection timed out")) {
// Google can't be down, so this is probably a proxy issue
connectionStates.put(ConnectionStatus.INTERNET, ConnectionStatus.FAILED);
- statuses.add(Messages.UpdateCenter_Status_ConnectionFailed(connectionCheckUrl));
+ statuses.add(Messages.UpdateCenter_Status_ConnectionFailed(Functions.xmlEscape(connectionCheckUrl)));
return;
}
}
@@ -1501,12 +1501,12 @@ public void run() {
statuses.add(Messages.UpdateCenter_Status_Success());
} catch (UnknownHostException e) {
connectionStates.put(ConnectionStatus.UPDATE_SITE, ConnectionStatus.FAILED);
- statuses.add(Messages.UpdateCenter_Status_UnknownHostException(e.getMessage()));
+ statuses.add(Messages.UpdateCenter_Status_UnknownHostException(Functions.xmlEscape(e.getMessage())));
addStatus(e);
error = e;
} catch (Exception e) {
connectionStates.put(ConnectionStatus.UPDATE_SITE, ConnectionStatus.FAILED);
- statuses.add(Functions.printThrowable(e));
+ addStatus(e);
error = e;
}
@@ -1520,7 +1520,7 @@ public void run() {
}
}
- private void addStatus(UnknownHostException e) {
+ private void addStatus(Throwable e) {
statuses.add("<pre>"+ Functions.xmlEscape(Functions.printThrowable(e))+"</pre>");
}

References