1326402 – (CVE-2016-3101) CVE-2016-3101 jenkins: Stored XSS vulnerability in Extra Columns Plugin (SECURITY-136)

Bug 1326402 (CVE-2016-3101) - CVE-2016-3101 jenkins: Stored XSS vulnerability in Extra Columns Plugin (SECURITY-136)

Summary: CVE-2016-3101 jenkins: Stored XSS vulnerability in Extra Columns Plugin (SECU...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2016-3101
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1326407 1326408
Blocks:	1326405
TreeView+	depends on / blocked

Reported:	2016-04-12 15:17 UTC by Adam Mariš
Modified:	2022-06-02 05:12 UTC (History)
CC List:	15 users (show)
Fixed In Version:	Jenkins 1.17, Jenkins 1.18.1
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-05-04 18:45:33 UTC
Embargoed:

Attachments	(Terms of Use)

Description Adam Mariš 2016-04-12 15:17:53 UTC

The following flaw was found in Jenkins:

The Extra Columns plugin rendered user-supplied HTML in tool tips without filtering them through the configured markup formatter.

External References:

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-04-11

Comment 2 Adam Mariš 2016-04-12 15:21:24 UTC

Created jenkins tracking bugs for this issue:

Affects: fedora-all [bug 1326408]

Comment 4 Kurt Seifried 2016-05-04 18:45:33 UTC

These are in Jenkins plugins that do not ship with OpenShift Enterprise.

Note You need to log in before you can comment on or make changes to this bug.