Improper Neutralization of Input During Web Page Generation in Jenkins
Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.
Affected versions
0 → fixed in 2.176.32.177 → fixed in 2.192
Details
A stored cross-site scripting vulnerability in Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed attackers with Overall/Administer permission to configure the update site URL to inject arbitrary HTML and JavaScript in update center web pages.
The fix
[SECURITY-1453]
core/src/main/java/hudson/model/UpdateCenter.java+4 −4
@@ -1479,7 +1479,7 @@ public void run() {if(e.getMessage().contains("Connection timed out")) {// Google can't be down, so this is probably a proxy issueconnectionStates.put(ConnectionStatus.INTERNET, ConnectionStatus.FAILED);-statuses.add(Messages.UpdateCenter_Status_ConnectionFailed(connectionCheckUrl));+statuses.add(Messages.UpdateCenter_Status_ConnectionFailed(Functions.xmlEscape(connectionCheckUrl)));return;}}@@ -1501,12 +1501,12 @@ public void run() {statuses.add(Messages.UpdateCenter_Status_Success());} catch (UnknownHostException e) {connectionStates.put(ConnectionStatus.UPDATE_SITE, ConnectionStatus.FAILED);-statuses.add(Messages.UpdateCenter_Status_UnknownHostException(e.getMessage()));+statuses.add(Messages.UpdateCenter_Status_UnknownHostException(Functions.xmlEscape(e.getMessage())));addStatus(e);error = e;} catch (Exception e) {connectionStates.put(ConnectionStatus.UPDATE_SITE, ConnectionStatus.FAILED);-statuses.add(Functions.printThrowable(e));+addStatus(e);error = e;}@@ -1520,7 +1520,7 @@ public void run() {}}-private void addStatus(UnknownHostException e) {+private void addStatus(Throwable e) {statuses.add("<pre>"+ Functions.xmlEscape(Functions.printThrowable(e))+"</pre>");}
References
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-10383
- WEBhttps://github.com/jenkinsci/jenkins/commit/fb88530f77d38660ab2aae8c2e842944f0fb1507
- WEBhttps://access.redhat.com/errata/RHSA-2019:2789
- WEBhttps://access.redhat.com/errata/RHSA-2019:3144
- WEBhttps://jenkins.io/security/advisory/2019-08-28/#SECURITY-1453
- WEBhttps://www.oracle.com/security-alerts/cpuapr2022.html
- WEBhttp://www.openwall.com/lists/oss-security/2019/08/28/4