The default installation and configuration of Jenkins CI is prone to a security vulnerability. The Jenkins CI default markup formatter permits offsite-bound forms. This vulnerability could be exploited by a remote attacker (a malicious user) to inject malicious persistent HTML script code (application side).
Currently, there are no known upgrades or patches to correct this vulnerability. It is possible to temporarily mitigate the flaw by implementing the following workaround:
'MyspacePolicy' permits
tag("form", "action", ONSITE_OR_OFFSITE_URL, "method");
Fix 'MyspacePolicy' by restricting the policy to ONSITE_URL only or perhaps <form> could be banned entirely.
References:
http://seclists.org/fulldisclosure/2013/Dec/159
Mitigation:
'MyspacePolicy' permits
tag("form", "action", ONSITE_OR_OFFSITE_URL, "method");
Fix 'MyspacePolicy' by restricting the policy to ONSITE_URL only or perhaps <form> could be banned entirely.
The default installation and configuration of Jenkins CI is prone to a security vulnerability. The Jenkins CI default markup formatter permits offsite-bound forms. This vulnerability could be exploited by a remote attacker (a malicious user) to inject malicious persistent HTML script code (application side). Currently, there are no known upgrades or patches to correct this vulnerability. It is possible to temporarily mitigate the flaw by implementing the following workaround: 'MyspacePolicy' permits tag("form", "action", ONSITE_OR_OFFSITE_URL, "method"); Fix 'MyspacePolicy' by restricting the policy to ONSITE_URL only or perhaps <form> could be banned entirely. References: http://seclists.org/fulldisclosure/2013/Dec/159