CVE-2017-2607

Name of the Vulnerable Software and Affected Versions: Jenkins versions prior to 2.44 Jenkins versions prior to 2.32.2

Description: The issue allows malicious users to perform cross-site scripting attacks on other users viewing build logs. This is possible because Jenkins allows plugins to annotate build logs, adding new content or changing the presentation of existing content while the build is running. Malicious Jenkins users, or users with SCM access, could configure jobs or modify build scripts to print serialized console notes that perform cross-site scripting attacks.

Recommendations: For versions prior to 2.44, update to version 2.44 or later to resolve the issue. For versions prior to 2.32.2, update to version 2.32.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the console notes feature until a patch is available.