Jenkins Security Advisory 2011-11-08

Vulnerability in Jenkins Core

Luca De Fulgentis discovered a cross-site scripting vulnerability in Jenkins that allows an attacker to embed malicious JavaScript into pages generated by Jenkins. The attacker does not need a valid user account in order to exploit this vulnerability.

This affects all versions of Jenkins prior to 1.438 and 1.409.3, but only if you are running it on its stand-alone container. This “stand-alone container” setup includes those who have installed Jenkins via native packages, including Windows, Mac OS X, Debian, Redhat, and openSUSE.

Severity

We rate this vulnerability as high, as the attack is passive, even though it allows an attacker to impersonate the administrator.

Fix

This issue has been fixed in Jenkins 1.438. We recommend you update your Jenkins to this version or later. If you don’t see the update in your update center, you can download it manually and replace your jenkins.war. LTS users should update to Jenkins 1.409.3, which fixes this problem.

Running Jenkins on other servlet containers is another possible fix to the problem, such as jetty runner, which allows similar command-line execution.