edit-icon download-icon

[Vulnerability notice] CVE-2017-1000391 and CVE-2017-1000392: Multiple vulnerabilities in Jenkins

Last Updated: Apr 02, 2018

On December 8, 2017, U. S. time, Jenkins announced two vulnerabilities: CVE-2017-1000391 and CVE-2017-1000392. The severity levels of the two vulnerabilities are low. You can decide whether to fix them according to your service situation.

See the following for more information about the vulnerability.


CVE identifier

CVE-2017-1000391 and CVE-2017-1000392

Vulnerability name

  • CVE-2017-1000391 - Unsafe use of user names as directory names
  • CVE-2017-1000392 - Persisted XSS vulnerability in autocompletion suggestions

Vulnerability rating

Low

Vulnerability description

  • CVE-2017-1000391 - Unsafe use of user names as directory names

    Jenkins stores metadata related to users (actual user accounts and users in SCM) to the directories corresponding to the user ID on disk. These directories use the user ID as their name, which may result in the following problems:

    • The user records for a user name consisting of a single forward slash (/) are stored in the parent directory. Deleting this user also deletes all user records.
    • User names containing character sequences such as .. can be used to clobber other configuration files in Jenkins.
    • User names can consist of reserved names such as COM (on Windows).

    These problems are not limited to the Jenkins user database security realm. Other security realms such as LDAP may also allow users to create the problematic user names. User names are now transformed into a filesystem-safe representation that is used as directory name.

  • CVE-2017-1000392 - Persisted XSS vulnerability in autocompletion suggestions

    Autocompletion suggestions for text fields are not escaped, resulting in a persisted cross-site scripting vulnerability if the source for the suggestions allows specifying text that includes HTML metacharacters, such as less-than and greater-than characters. Known unsafe sources for these suggestions include the names of loggers in the log recorder condition, and agent labels.

    A patch has been released on the official website. Autocompletion suggestions are now escaped and can no longer contain HTML-based formatting.

Condition and method of exploitation

The vulnerability can be remotely exploited through PoC.

PoC status

Unpublished

Affected scope

  • Jenkins weekly <= 2.88
  • Jenkins LTS <= 2.73.2

Vulnerability detection

Check whether any affected version of Jenkins is used.

How to fix or mitigate

  • Upgrade Jenkins weekly to v2.89 or later versions.
  • Upgrade Jenkins LTS to v2.73.3 or later versions.

Reference

[1]. https://jenkins.io/security/advisory/2017-11-08/

Thank you! We've received your feedback.