Jenkins cross-site scripting (XSS) vulnerability
Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.
Affected versions
1.533 → fixed in 1.5510 → fixed in 1.532.2
Details
Cross-site scripting (XSS) vulnerability in java/hudson/model/Cause.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to inject arbitrary web script or HTML via a "remote cause note."
The fix
[FIXED SECURITY-74] Apply markup formatter to remote cause
core/src/main/java/hudson/model/Cause.java+7 −3
@@ -34,6 +34,7 @@import org.kohsuke.stapler.export.Exported;import org.kohsuke.stapler.export.ExportedBean;import com.thoughtworks.xstream.converters.UnmarshallingContext;+import java.io.IOException;import java.util.HashSet;import java.util.Set;import javax.annotation.CheckForNull;@@ -371,10 +372,13 @@ public RemoteCause(String host, String note) {@Overridepublic String getShortDescription() {if(note != null) {-return Messages.Cause_RemoteCause_ShortDescriptionWithNote(addr, note);-} else {-return Messages.Cause_RemoteCause_ShortDescription(addr);+try {+return Messages.Cause_RemoteCause_ShortDescriptionWithNote(addr, Jenkins.getInstance().getMarkupFormatter().translate(note));+} catch (IOException x) {+// ignore+}}+return Messages.Cause_RemoteCause_ShortDescription(addr);}@Override
References
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2014-2067
- WEBhttps://github.com/jenkinsci/jenkins/commit/5d57c855f3147bfc5e7fda9252317b428a700014
- WEBhttps://exchange.xforce.ibmcloud.com/vulnerabilities/91354
- PACKAGEhttps://github.com/jenkinsci/jenkins
- WEBhttps://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-14
- WEBhttp://seclists.org/oss-sec/2014/q1/421