Security context
MediumGHSA-fxj8-cqcp-3vgq CVE-2014-2065CWE-79Published May 17, 2022

Jenkins cross-site scripting (XSS) vulnerability

Research this vulnerability

Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.

Affected versions

1.533 → fixed in 1.5510 → fixed in 1.532.2

Details

Cross-site scripting (XSS) vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to inject arbitrary web script or HTML via the iconSize cookie.

The fix

[FIXED SECURITY-77] XSS in iconSize cookie.

Jesse Glick· Feb 7, 2014, 08:16 PM+157a0b00508ee
core/src/main/java/hudson/Functions.java+11 0
@@ -123,6 +123,8 @@
import java.util.logging.SimpleFormatter;
import java.util.regex.Pattern;
import org.apache.commons.lang.StringUtils;
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
/**
* Utility functions used in views.
@@ -426,6 +428,15 @@ public static String getCookie(HttpServletRequest req,String name, String defaul
return c.getValue();
}
+ private static final Pattern ICON_SIZE = Pattern.compile("\\d+x\\d+");
+ @Restricted(NoExternalUse.class)
+ public static String validateIconSize(String iconSize) throws SecurityException {
+ if (!ICON_SIZE.matcher(iconSize).matches()) {
+ throw new SecurityException("invalid iconSize");
+ }
+ return iconSize;
+ }
+
/**
* Gets the suffix to use for YUI JavaScript.
*/
core/src/main/java/hudson/model/View.java+1 1
@@ -766,7 +766,7 @@ public AsynchPeople(View parent) {
{
StaplerRequest req = Stapler.getCurrentRequest();
- iconSize = req != null ? Functions.getCookie(req, "iconSize", "32x32") : "32x32";
+ iconSize = req != null ? Functions.validateIconSize(Functions.getCookie(req, "iconSize", "32x32")) : "32x32";
}
@Override protected void compute() throws Exception {
core/src/main/java/jenkins/model/Jenkins.java+2 5
@@ -295,7 +295,6 @@
import static java.util.logging.Level.SEVERE;
import java.util.logging.LogRecord;
import java.util.logging.Logger;
-import java.util.regex.Pattern;
import javax.annotation.CheckForNull;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
@@ -3417,9 +3416,9 @@ public void doSignup( StaplerRequest req, StaplerResponse rsp ) throws IOExcepti
*/
public void doIconSize( StaplerRequest req, StaplerResponse rsp ) throws IOException, ServletException {
String qs = req.getQueryString();
- if(qs==null || !ICON_SIZE.matcher(qs).matches())
+ if(qs==null)
throw new ServletException();
- Cookie cookie = new Cookie("iconSize", qs);
+ Cookie cookie = new Cookie("iconSize", Functions.validateIconSize(qs));
cookie.setMaxAge(/* ~4 mo. */9999999); // #762
rsp.addCookie(cookie);
String ref = req.getHeader("Referer");
@@ -3964,8 +3963,6 @@ public static VersionNumber getVersion() {
private static final Logger LOGGER = Logger.getLogger(Jenkins.class.getName());
- private static final Pattern ICON_SIZE = Pattern.compile("\\d+x\\d+");
-
public static final PermissionGroup PERMISSIONS = Permission.HUDSON_PERMISSIONS;
public static final Permission ADMINISTER = Permission.HUDSON_ADMINISTER;
public static final Permission READ = new Permission(PERMISSIONS,"Read",Messages._Hudson_ReadPermission_Description(),Permission.READ,PermissionScope.JENKINS);
core/src/main/resources/lib/hudson/setIconSize.jelly+1 1
@@ -27,7 +27,7 @@ THE SOFTWARE.
-->
<?jelly escape-by-default='true'?>
<j:jelly xmlns:j="jelly:core" xmlns:x="jelly:xml" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
- <j:set scope="parent" var="iconSize" value="${h.getCookie(request,'iconSize','32x32')}" />
+ <j:set scope="parent" var="iconSize" value="${h.validateIconSize(h.getCookie(request,'iconSize','32x32'))}" />
<!--
balls look smaller than their actual size,
so we try not to make the secondary icons look bigger than the icon.

References