Bug 2226895 (CVE-2023-39151)

Summary: CVE-2023-39151 jenkins: Stored cross-site scripting via build logs
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Sayan Biswas <sabiswas>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: asatyam, dfreiber, diagrawa, ellin, jburrell, rogbas, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Jenkins 2.416, jenkins LTS 2.401.3 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Jenkins, where Jenkins weekly and LTS are vulnerable to Cross-site scripting caused by the improper validation of user-supplied input. A remote, authenticated attacker can inject malicious script into a web page, which would be executed in a victim's Web browser within the security context of the hosting Web site once the page is viewed. This flaw allows an attacker to steal the victim's cookie-based authentication credentials.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2226896    

Description Pedro Sampaio 2023-07-26 21:02:27 UTC 
Jenkins applies formatting to the console output of builds, transforming plain URLs into hyperlinks.

Jenkins 2.415 and earlier, LTS 2.401.2 and earlier does not sanitize or properly encode URLs of these hyperlinks in build logs.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control build log contents.

Jenkins 2.416, LTS 2.401.3 encodes URLs of affected hyperlink annotations in build logs.

References:

https://www.jenkins.io/security/advisory/2023-07-26/#SECURITY-3188