PT-2018-5174 · Cloudbees+1 · Jenkins

Viktor Gazdag

Publicado

2018-01-26

Atualizado

2022-05-14

CVE-2017-1000392

CVSS v3.1

4.8

Média

Vetor

AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.88 and earlier Jenkins versions 2.73.2 and earlier

Description The issue results from unescaped autocompletion suggestions for text fields, leading to a persisted cross-site scripting problem. This occurs when the source for the suggestions allows text that includes HTML metacharacters, such as less-than and greater-than characters.

Recommendations For Jenkins versions 2.88 and earlier, update to a version later than 2.88 to resolve the issue. For Jenkins versions 2.73.2 and earlier, update to a version later than 2.73.2 to resolve the issue. As a temporary workaround, consider restricting user input in text fields to prevent the inclusion of HTML metacharacters until a patch is available.

Correção

XSS

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-79

Identificadores relacionados

CVE-2017-1000392

GHSA-5PPX-RGW2-XG23

Produtos afetados

Jenkins

PT-2018-5174 · Cloudbees+1 · Jenkins

CVE-2017-1000392

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 8