On December 8, 2017, U. S. time, Jenkins announced two vulnerabilities: CVE-2017-1000391 and CVE-2017-1000392. The severity levels of the two vulnerabilities are low. You can decide whether to fix them according to your service situation.
See the following for more information about the vulnerability.
CVE-2017-1000391 and CVE-2017-1000392
- CVE-2017-1000391 - Unsafe use of user names as directory names
- CVE-2017-1000392 - Persisted XSS vulnerability in autocompletion suggestions
CVE-2017-1000391 - Unsafe use of user names as directory names
Jenkins stores metadata related to users (actual user accounts and users in SCM) to the directories corresponding to the user ID on disk. These directories use the user ID as their name, which may result in the following problems:
- The user records for a user name consisting of a single forward slash (/) are stored in the parent directory. Deleting this user also deletes all user records.
- User names containing character sequences such as .. can be used to clobber other configuration files in Jenkins.
- User names can consist of reserved names such as COM (on Windows).
These problems are not limited to the Jenkins user database security realm. Other security realms such as LDAP may also allow users to create the problematic user names. User names are now transformed into a filesystem-safe representation that is used as directory name.
CVE-2017-1000392 - Persisted XSS vulnerability in autocompletion suggestions
Autocompletion suggestions for text fields are not escaped, resulting in a persisted cross-site scripting vulnerability if the source for the suggestions allows specifying text that includes HTML metacharacters, such as less-than and greater-than characters. Known unsafe sources for these suggestions include the names of loggers in the log recorder condition, and agent labels.
A patch has been released on the official website. Autocompletion suggestions are now escaped and can no longer contain HTML-based formatting.
Condition and method of exploitation
The vulnerability can be remotely exploited through PoC.
- Jenkins weekly <= 2.88
- Jenkins LTS <= 2.73.2
Check whether any affected version of Jenkins is used.
How to fix or mitigate
- Upgrade Jenkins weekly to v2.89 or later versions.
- Upgrade Jenkins LTS to v2.73.3 or later versions.