Stored XSS vulnerability In Jenkins CVE-2017-17383

-

Description

Stored XSS vulnerability in tool names exploitable by administrators

SECURITY-624
Jenkins administrators can configure tools, such as JDK, Maven, or Ant, that will be available in job configurations for use by build scripts.
Some tool names are not properly escaped on job configuration forms, resulting in a stored cross-site scripting vulnerability.
Tools confirmed to be affected are:
  • JDK (provided by Jenkins core)
  • Ant (provided by Ant plugin)
Others may also be affected by this.
This vulnerability can only be exploited by Jenkins administrators, as they’re the only ones able to define tools. In regular Jenkins configurations, administrators are able to run any code and install any plugin. Therefore this vulnerability only really affects installations that don’t grant administrators the Run Scripts, Configure Update Sites, and/or Install Plugins permissions.
As of publication of this advisory, there is no fix.
The Jenkins project has prepared a plugin preventing the configuration of unsafe tool names at https://github.com/jenkinsci-cert/security624. If you’re affected by this issue (i.e. are operating an instance restricting the permissions of administrators) we recommend installing the above plugin. You will need to build this plugin yourself. We are not planning to distribute it on our update sites, as we are unaware of any open source plugins enabling a configuration that would be affected by this vulnerability.

Severity

  • SECURITY-624: medium
  • CVE-2017-17383 

Affected versions

  • All versions of Jenkins

Fix

As of publication of this advisory, there is no fix available other than the workaround provided above.

Credit

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:
  • Dhiraj Datar, Lakhshya Cyber Security Labs for SECURITY-624

Comments

Post a Comment

Popular posts from this blog

HTTP Host header attacks against web proxy disclaimer response webpage CVE-2017-14190

-
HTTP Host header attacks against web proxy disclaimer response webpage Summary The FortiOS web proxy disclaimer page is potentially vulnerable to an XSS attack, via maliciously crafted "Host" headers in user HTTP requests. The latter is possible if an attacker is in a Man-in-the-middle position (i.e. able to modify the HTTP requests of the potential victim before they reach the web proxy), or poisons a web cache used by the potential victim. In the latter attack scenario, the tainted disclaimer web page being cached, the XSS attack can be considered as persistent. Impact Persistent Cross-site Scripting (XSS) CVE ID CVE-2017-14190 Affected Products FortiOS 5.6.0 to 5.6.2 FortiOS 5.4.0 to 5.4.7 FortiOS 5.2 and lower versions. Solutions FortiOS 5.6 branch: Upgrade to 5.6.3 FortiOS 5.4 branch: Upgrade to 5.4.8 For...
Read more

VMware vRealize Operations Tenant App update addresses Information Disclosure Vulnerability (CVE-2021-22034)

-
  1. Impacted Products VMware vRealize Operations Tenant App for VMware Cloud Director 2. Introduction An information disclosure vulnerability in VMware vRealize Operations Tenant App for VMware Cloud Director was privately reported to VMware. Patch is available to address this vulnerability in impacted VMware products.  3. Information Disclosure Vulnerability in VMware vRealize Operations Tenant App for VMware Cloud Director (CVE-2021-22034) Description T...
Read more

TYPO3 CMS is vulnerable to SQL injection. CVE-2019-19850

-
It has been discovered that TYPO3 CMS is vulnerable to SQL injection. Component Type: TYPO3 CMS Subcomponent: Query Generator (ext:lowlevel) Release Date: December 17, 2019 Vulnerability Type: SQL Injection Affected Versions: 8.0.0-8.7.29 and 9.0.0-9.5.11 and 10.0.0-10.2.0 Severity: Medium Suggested CVSS v3.1:   AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N/E:F/RL:O/RC:C CVE:   CVE-2019-19850 Problem Description Failing to properly escape user submitted content, class QueryGenerator is vulnerable to SQL injection. Having system extension ext:lowlevel installed and a valid backend user having administrator privileges are required to exploit this vulnerability. Solution Update to TYPO3 versions 8.7.30 or 9.5.12 or 10.2.2 that fix the problem described. Credits Thanks to Dhiraj Shrikant Datar ( Zacco CyberSecurity Research Labs ) who reported this issue and to TYPO3 framework merger Frank Nägler  who fixed the issue. General Advice Follo...
Read more