Jenkins Cross-site Scripting vulnerability
Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.
Affected versions
0 → fixed in 1.596.21.600 → fixed in 1.606
Details
Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1813.
The fix
[FIXED SECURITY-171]
core/src/main/java/hudson/util/FormValidation.java+1 −1
@@ -196,7 +196,7 @@ private static FormValidation _error(Kind kind, Throwable e, String message) {" <a href='#' class='showDetails'>"+ Messages.FormValidation_Error_Details()+ "</a><pre style='display:none'>"-+ Functions.printThrowable(e) +++ Util.escape(Functions.printThrowable(e)) +"</pre>",kind);}core/src/test/java/hudson/util/FormValidationTest.java | 9 +++++++++1 file changed, 9 insertions(+)
core/src/test/java/hudson/util/FormValidationTest.java+9 −0
@@ -23,6 +23,10 @@*/package hudson.util;+import static org.hamcrest.CoreMatchers.containsString;+import static org.hamcrest.CoreMatchers.not;+import static org.hamcrest.MatcherAssert.assertThat;+import junit.framework.TestCase;/**@@ -51,4 +55,9 @@ public void testValidateRequired_Empty() {public void testMessage() {assertEquals("test msg", FormValidation.errorWithMarkup("test msg").getMessage());}++public void testFormValidationException() {+FormValidation fv = FormValidation.error(new Exception("<html"), "Message<html");+assertThat(fv.renderHtml(), not(containsString("<html")));+}}
[SECURITY-171] test
core/src/test/java/hudson/util/FormValidationTest.java+9 −0
@@ -23,6 +23,10 @@*/package hudson.util;+import static org.hamcrest.CoreMatchers.containsString;+import static org.hamcrest.CoreMatchers.not;+import static org.hamcrest.MatcherAssert.assertThat;+import junit.framework.TestCase;/**@@ -51,4 +55,9 @@ public void testValidateRequired_Empty() {public void testMessage() {assertEquals("test msg", FormValidation.errorWithMarkup("test msg").getMessage());}++public void testFormValidationException() {+FormValidation fv = FormValidation.error(new Exception("<html"), "Message<html");+assertThat(fv.renderHtml(), not(containsString("<html")));+}}
[FIXED SECURITY-171]
core/src/main/java/hudson/util/FormValidation.java+1 −1
@@ -196,7 +196,7 @@ private static FormValidation _error(Kind kind, Throwable e, String message) {" <a href='#' class='showDetails'>"+ Messages.FormValidation_Error_Details()+ "</a><pre style='display:none'>"-+ Functions.printThrowable(e) +++ Util.escape(Functions.printThrowable(e)) +"</pre>",kind);}
References
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2015-1812
- WEBhttps://github.com/jenkinsci/jenkins/commit/f58ba6e72f978e2f73299e38a1b54ff70fc73fd8
- WEBhttps://github.com/jenkinsci/jenkins/commit/f880d8d2cd9d46987ee3630fa04f77b17784f4e8
- WEBhttps://github.com/jenkinsci/jenkins/commit/feb2703adb0c121705e5c8e9ddf8f663b6481cbd
- WEBhttps://access.redhat.com/errata/RHSA-2016:0070
- WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=1205615
- PACKAGEhttps://github.com/jenkinsci/jenkins
- WEBhttps://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-03-23
- WEBhttp://rhn.redhat.com/errata/RHSA-2015-1844.html