Security Advisory- Jenkins Stored Cross Site Scripting Vulnerability

Summary

  • The Ant installation component within Jenkins is affected by a stored cross-site scripting vulnerability.
  • As there is no patch available at this point in time, we shall update this section with more details after the vendor releases a security fix.

CVE ID

  • CVE-2017-17383

CVSS Score and Metrics

  • CVSS 2.0 METRICS: AV:N/AC:L/AU:N/C:P/I:P/A:N
  • CVSS 2.0 SCORE: 6.42
  • CVSS 3.0 METRICS: AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
  • CVSS:3.0 SCORE 4.8

Vulnerability Type

  • Stored Cross Site Scripting (XSS)

Affected Vendors

  • Jenkins

Affected Products

  • Jenkins 1.60
  • Jenkins 1.70
  • Jenkins 1.80
  • Jenkins 1.90
  • Jenkins 1.100
  • Jenkins 1.200
  • Jenkins 1.300
  • Jenkins 1.400
  • Jenkins 1.500
  • Jenkins 1.600
  • Jenkins 2.0
  • Jenkins 2.1
  • Jenkins 2.2
  • Jenkins 2.3
  • Jenkins 2.4
  • Jenkins 2.5
  • Jenkins 2.6
  • Jenkins 2.7
  • Jenkins 2.73.1
  • Jenkins 2.8
  • Jenkins 2.90
  • Jenkins 2.91
  • Jenkins 2.92
  • Jenkins 2.93

Affected Component

  • Ant Installation

Solution

  • Not available

Attack Type

  • Remote

Vulnerability Impact

  • An attacker can inject hostile script into unsuspecting users's browser. An attacker can then leverage this issue to hijack browser sessions, redirect users to malicious websites, steal cookies and perform other actions.

Vendor Acknowledged

  • Yes

Vendor Reference

Credit

  • Dhiraj Datar, Lakhshya Cyber Security Labs Pvt Ltd

Disclosure timeline

  • 04-10-2017 - Vulnerability reported to vendor.
  • 04-10-2017 – Vulnerability acknowledged report.
  • 09-10-2017 – Vendor confirmation received.
  • 04-12-2017 - Coordinated public release of advisory.

Changelog

  • 05-12-2017 - Initial release.
  • 05-12-2017 - CVSS scoring and metrics changed.