This advisory announces vulnerabilities in the following Jenkins deliverables:
Since Jenkins 2.483, the description of the reason why a node is offline (the "offline cause") is defined as containing HTML and rendered as such.
Jenkins 2.550 and earlier, LTS 2.541.1 and earlier does not escape the user-provided description of the "Mark temporarily offline" offline cause.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure or Agent/Disconnect permission.
Jenkins 2.551, LTS 2.541.2 escapes the user-provided description of the "Mark temporarily offline" offline cause.
| On Jenkins 2.539 and newer, including LTS 2.541.1, enforcing Content Security Policy protection mitigates this vulnerability. |
| This vulnerability has been reported through the Jenkins Bug Bounty Program sponsored by the European Commission. |
Jenkins 2.550 and earlier, LTS 2.541.1 and earlier accepts Run Parameter values that refer to builds the user submitting the build does not have access to. This allows attackers with Item/Build and Item/Configure permission to obtain information about the existence of jobs, the existence of builds, and if a specified build exists, its display name.
Jenkins 2.551, LTS 2.541.2 rejects Run Parameter values that refer to builds the user submitting the build does not have access to (either because they do not exist, or because the user does not have permission to access them).
| This vulnerability has been reported through the Jenkins Bug Bounty Program sponsored by the European Commission. |
These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.
The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: