Jenkins cross-site scripting (XSS) vulnerability
Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.
Affected versions
1.533 → fixed in 1.5510 → fixed in 1.532.2
Details
Cross-site scripting (XSS) vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to inject arbitrary web script or HTML via the iconSize cookie.
The fix
[FIXED SECURITY-77] XSS in iconSize cookie.
core/src/main/java/hudson/Functions.java+11 −0
@@ -123,6 +123,8 @@import java.util.logging.SimpleFormatter;import java.util.regex.Pattern;import org.apache.commons.lang.StringUtils;+import org.kohsuke.accmod.Restricted;+import org.kohsuke.accmod.restrictions.NoExternalUse;/*** Utility functions used in views.@@ -426,6 +428,15 @@ public static String getCookie(HttpServletRequest req,String name, String defaulreturn c.getValue();}+private static final Pattern ICON_SIZE = Pattern.compile("\\d+x\\d+");+@Restricted(NoExternalUse.class)+public static String validateIconSize(String iconSize) throws SecurityException {+if (!ICON_SIZE.matcher(iconSize).matches()) {+throw new SecurityException("invalid iconSize");+}+return iconSize;+}+/*** Gets the suffix to use for YUI JavaScript.*/
core/src/main/java/hudson/model/View.java+1 −1
@@ -766,7 +766,7 @@ public AsynchPeople(View parent) {{StaplerRequest req = Stapler.getCurrentRequest();-iconSize = req != null ? Functions.getCookie(req, "iconSize", "32x32") : "32x32";+iconSize = req != null ? Functions.validateIconSize(Functions.getCookie(req, "iconSize", "32x32")) : "32x32";}@Override protected void compute() throws Exception {
core/src/main/java/jenkins/model/Jenkins.java+2 −5
@@ -295,7 +295,6 @@import static java.util.logging.Level.SEVERE;import java.util.logging.LogRecord;import java.util.logging.Logger;-import java.util.regex.Pattern;import javax.annotation.CheckForNull;import javax.annotation.Nonnull;import javax.annotation.Nullable;@@ -3417,9 +3416,9 @@ public void doSignup( StaplerRequest req, StaplerResponse rsp ) throws IOExcepti*/public void doIconSize( StaplerRequest req, StaplerResponse rsp ) throws IOException, ServletException {String qs = req.getQueryString();-if(qs==null || !ICON_SIZE.matcher(qs).matches())+if(qs==null)throw new ServletException();-Cookie cookie = new Cookie("iconSize", qs);+Cookie cookie = new Cookie("iconSize", Functions.validateIconSize(qs));cookie.setMaxAge(/* ~4 mo. */9999999); // #762rsp.addCookie(cookie);String ref = req.getHeader("Referer");@@ -3964,8 +3963,6 @@ public static VersionNumber getVersion() {private static final Logger LOGGER = Logger.getLogger(Jenkins.class.getName());-private static final Pattern ICON_SIZE = Pattern.compile("\\d+x\\d+");-public static final PermissionGroup PERMISSIONS = Permission.HUDSON_PERMISSIONS;public static final Permission ADMINISTER = Permission.HUDSON_ADMINISTER;public static final Permission READ = new Permission(PERMISSIONS,"Read",Messages._Hudson_ReadPermission_Description(),Permission.READ,PermissionScope.JENKINS);
core/src/main/resources/lib/hudson/setIconSize.jelly+1 −1
@@ -27,7 +27,7 @@ THE SOFTWARE.--><?jelly escape-by-default='true'?><j:jelly xmlns:j="jelly:core" xmlns:x="jelly:xml" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">-<j:set scope="parent" var="iconSize" value="${h.getCookie(request,'iconSize','32x32')}" />+<j:set scope="parent" var="iconSize" value="${h.validateIconSize(h.getCookie(request,'iconSize','32x32'))}" /><!--balls look smaller than their actual size,so we try not to make the secondary icons look bigger than the icon.
References
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2014-2065
- WEBhttps://github.com/jenkinsci/jenkins/commit/a0b00508eeb74d7033dc4100eb382df4e8fa72e7
- PACKAGEhttps://github.com/jenkinsci/jenkins
- WEBhttps://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-14
- WEBhttp://www.openwall.com/lists/oss-security/2014/02/21/2