PT-2018-5174 · Cloudbees+1 · Jenkins

Viktor Gazdag

Published

2018-01-26

Updated

2022-05-14

CVE-2017-1000392

CVSS v3.1

4.8

Medium

Vector

AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.88 and earlier Jenkins versions 2.73.2 and earlier

Description The issue results from unescaped autocompletion suggestions for text fields, leading to a persisted cross-site scripting problem. This occurs when the source for the suggestions allows text that includes HTML metacharacters, such as less-than and greater-than characters.

Recommendations For Jenkins versions 2.88 and earlier, update to a version later than 2.88 to resolve the issue. For Jenkins versions 2.73.2 and earlier, update to a version later than 2.73.2 to resolve the issue. As a temporary workaround, consider restricting user input in text fields to prevent the inclusion of HTML metacharacters until a patch is available.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2017-1000392

GHSA-5PPX-RGW2-XG23

Affected Products

Jenkins

PT-2018-5174 · Cloudbees+1 · Jenkins

CVE-2017-1000392

Weakness Enumeration

Related Identifiers

Affected Products

References · 8