Jenkins Multiple HTML Injection Vulnerabilities
BID:52055
Info
Jenkins Multiple HTML Injection Vulnerabilities
| Bugtraq ID: | 52055 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Feb 17 2012 12:00AM |
| Updated: | Feb 17 2012 12:00AM |
| Credit: | Sony |
| Vulnerable: |
Jenkins CI Jenkins 1.409.3 Jenkins CI Jenkins 1.451 Jenkins CI Jenkins 1.447 Jenkins CI Jenkins 1.446 Jenkins CI Jenkins 1.438 Jenkins CI Jenkins 1.424.2 Jenkins CI Jenkins 1.424.1 Jenkins CI Jenkins 1.408 |
| Not Vulnerable: | |
Discussion
Jenkins Multiple HTML Injection Vulnerabilities
Jenkins is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials, or control how the site is rendered to the user. Other attacks are also possible.
Jenkins versions 1.408 through 1.451 are vulnerable; other versions may also be affected.
Jenkins is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials, or control how the site is rendered to the user. Other attacks are also possible.
Jenkins versions 1.408 through 1.451 are vulnerable; other versions may also be affected.
Exploit / POC
Jenkins Multiple HTML Injection Vulnerabilities
Attackers can use a browser to exploit these issues.
Attackers can use a browser to exploit these issues.
Solution / Fix
Jenkins Multiple HTML Injection Vulnerabilities
Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
References
Jenkins Multiple HTML Injection Vulnerabilities
References:
References:
- Jenkins CI Homepage (Jenkins CI)
- Jenkins Cross Site Scripting (Sony)