Security context
MediumGHSA-vj6q-v2h7-6q5m CVE-2014-2067CWE-79Published May 17, 2022

Jenkins cross-site scripting (XSS) vulnerability

Research this vulnerability

Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.

Affected versions

1.533 → fixed in 1.5510 → fixed in 1.532.2

Details

Cross-site scripting (XSS) vulnerability in java/hudson/model/Cause.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to inject arbitrary web script or HTML via a "remote cause note."

The fix

[FIXED SECURITY-74] Apply markup formatter to remote cause

Jesse Glick· Feb 7, 2014, 07:33 PM+735d57c855f3
core/src/main/java/hudson/model/Cause.java+7 3
@@ -34,6 +34,7 @@
import org.kohsuke.stapler.export.Exported;
import org.kohsuke.stapler.export.ExportedBean;
import com.thoughtworks.xstream.converters.UnmarshallingContext;
+import java.io.IOException;
import java.util.HashSet;
import java.util.Set;
import javax.annotation.CheckForNull;
@@ -371,10 +372,13 @@ public RemoteCause(String host, String note) {
@Override
public String getShortDescription() {
if(note != null) {
- return Messages.Cause_RemoteCause_ShortDescriptionWithNote(addr, note);
- } else {
- return Messages.Cause_RemoteCause_ShortDescription(addr);
+ try {
+ return Messages.Cause_RemoteCause_ShortDescriptionWithNote(addr, Jenkins.getInstance().getMarkupFormatter().translate(note));
+ } catch (IOException x) {
+ // ignore
+ }
}
+ return Messages.Cause_RemoteCause_ShortDescription(addr);
}
@Override

References