This advisory announces a vulnerability in Jenkins (weekly and LTS) and various plugins.
Jenkins administrators can configure tools, such as JDK, Maven, or Ant, that will be available in job configurations for use by build scripts.
Some tool names are not properly escaped on job configuration forms, resulting in a stored cross-site scripting vulnerability.
Tools confirmed to be affected are:
JDK (provided by Jenkins core)
Ant (provided by Ant plugin)
Others may also be affected by this.
This vulnerability can only be exploited by Jenkins administrators, as they’re the only ones able to define tools. In regular Jenkins configurations, administrators are able to run any code and install any plugin. Therefore this vulnerability only really affects installations that don’t grant administrators the Run Scripts, Configure Update Sites, and/or Install Plugins permissions.
As of publication of this advisory, there is no fix.
The Jenkins project has prepared a plugin preventing the configuration of unsafe tool names at https://github.com/jenkinsci-cert/security624. If you’re affected by this issue (i.e. are operating an instance restricting the permissions of administrators) we recommend installing the above plugin. You will need to build this plugin yourself. We are not planning to distribute it on our update sites, as we are unaware of any open source plugins enabling a configuration that would be affected by this vulnerability.
As of publication of this advisory, there is no fix available other than the workaround provided above.
The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:
Dhiraj Datar, Lakhshya Cyber Security Labs for SECURITY-624