• Admin

Security Advisory- Jenkins Stored Cross Site Scripting Vulnerability

Updated: Nov 23, 2018

The Ant installation component within Jenkins is affected by a stored cross-site scripting vulnerability.


CVSS Score and Metrics

  • CVSS 2.0 METRICS: AV:N/AC:L/AU:N/C:P/I:P/A:N

  • CVSS 2.0 SCORE: 6.42

  • CVSS 3.0 METRICS: AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

  • CVSS:3.0 SCORE 4.8

Vulnerability Type

  • Stored Cross Site Scripting (XSS)

Affected Vendors

  • Jenkins

Affected Products

  • Jenkins 1.60

  • Jenkins 1.70

  • Jenkins 1.80

  • Jenkins 1.90

  • Jenkins 1.100

  • Jenkins 1.200

  • Jenkins 1.300

  • Jenkins 1.400

  • Jenkins 1.500

  • Jenkins 1.600

  • Jenkins 2.0

  • Jenkins 2.1

  • Jenkins 2.2

  • Jenkins 2.3

  • Jenkins 2.4

  • Jenkins 2.5

  • Jenkins 2.6

  • Jenkins 2.7

  • Jenkins 2.73.1

  • Jenkins 2.8

  • Jenkins 2.90

  • Jenkins 2.91

  • Jenkins 2.92

  • Jenkins 2.93

Affected Component

  • Ant Installation

Solution

  • Not available

Attack Type

  • Remote

Vulnerability Impact

  • An attacker can inject hostile script into unsuspecting users's browser. An attacker can then leverage this issue to hijack browser sessions, redirect users to malicious websites, steal cookies and perform other actions.

Vendor Acknowledged

  • Yes

Vendor Reference

Credit

  • Dhiraj Datar, Lakhshya Cyber Security Labs Pvt Ltd

Disclosure timeline

  • 04-10-2017 - Vulnerability reported to vendor.

  • 04-10-2017 – Vulnerability acknowledged report.

  • 09-10-2017 – Vendor confirmation received.

  • 04-12-2017 - Coordinated public release of advisory.

Changelog

  • 05-12-2017 - Initial release.

  • 05-12-2017 - CVSS scoring and metrics changed.


0 views

© 2019 Lakhshya CyberSecurity Labs Pvt Ltd