Summary

The Ant installation component within Jenkins is affected by a stored cross-site scripting vulnerability. 

As there is no patch available at this point in time, we shall update this section with more details after the vendor releases a security fix.

---

CVE ID

CVE-2017-17383

---

CVSS Score and Metrics

CVSS 2.0 METRICS: AV:N/AC:L/AU:N/C:P/I:P/A:N

CVSS 2.0 SCORE: 6.42

CVSS 3.0 METRICS: AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CVSS:3.0 SCORE 4.8

---

Vulnerability Type

Stored Cross Site Scripting (XSS)

---

Affected Vendors

Jenkins

---

Affected Products

Jenkins 1.60

Jenkins 1.70

Jenkins 1.80

Jenkins 1.90

Jenkins 1.100

Jenkins 1.200

Jenkins 1.300

Jenkins 1.400

Jenkins 1.500

Jenkins 1.600

Jenkins 2.0

Jenkins 2.1

Jenkins 2.2

Jenkins 2.3

Jenkins 2.4

Jenkins 2.5

Jenkins 2.6

Jenkins 2.7

Jenkins 2.73.1

Jenkins 2.8

Jenkins 2.90

Jenkins 2.91

Jenkins 2.92

Jenkins 2.93

---

Affected Component

Ant Installation

---

Solution

Not available

---

Attack Type

Remote

---

Vulnerability Impact

An attacker can inject hostile script into unsuspecting users's browser. An attacker can then leverage this issue to hijack browser sessions, redirect users to malicious websites, steal cookies and perform other actions. 

---

Vendor Acknowledged

Yes

---

Vendor Reference

https://jenkins.io/security/advisory/2017-12-05/

---

Credit

Dhiraj Datar, Lakhshya Cyber Security Labs Pvt Ltd 

---

Disclosure timeline

04-10-2017 - Vulnerability reported to vendor.

04-10-2017 – Vulnerability acknowledged report.

09-10-2017 – Vendor confirmation received.

04-12-2017 - Coordinated public release of advisory.

---

Changelog

05-12-2017 - Initial release.

05-12-2017 - CVSS scoring and metrics changed.

 

Originally Published in Lakhshya https://lakhshyalabs.com/research/security-advisory-jenkins-stored-cross-site-scripting-vulnerability.html