Jenkins is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.
Successful exploits will result in the execution of arbitrary attacker-supplied HTML and script code in the context of the affected application, potentially allowing the attacker to steal cookie-based authentication credentials or control how the page is rendered to the user. Other attacks are also possible.
Jenkins 2.93 and prior versions are vulnerable.
Information
Bugtraq ID: 102130Class: Input Validation Error
CVE: CVE-2017-17383
Remote: Yes
Local: No
Published: Dec 06 2017 12:00AM
Updated: Dec 11 2017 03:11PM
Credit: Dhiraj Datar of Lakhshya Cyber Security Labs.
Vulnerable: Jenkins-Ci Jenkins 2.93
Jenkins-Ci Jenkins 2.92
Jenkins-Ci Jenkins 2.90
Jenkins-Ci Jenkins 2.89
Jenkins-Ci Jenkins 2.88
Jenkins-Ci Jenkins 2.57
Jenkins-Ci Jenkins 2.56
Jenkins-Ci Jenkins 2.44
Jenkins-Ci Jenkins 2.43
Jenkins-Ci Jenkins 2.32
Jenkins-Ci Jenkins 2.31
Jenkins-Ci Jenkins 2.3
Jenkins-Ci Jenkins 2.2
Jenkins-Ci Jenkins 2.1
Jenkins-Ci Jenkins 2.0
Not Vulnerable:
Exploit
An attacker can exploit these issues using a web browser.
