Jenkins CVE-2017-17383 Multiple HTML Injection Vulnerabilities

Jenkins is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.

Successful exploits will result in the execution of arbitrary attacker-supplied HTML and script code in the context of the affected application, potentially allowing the attacker to steal cookie-based authentication credentials or control how the page is rendered to the user. Other attacks are also possible.
Jenkins 2.93 and prior versions are vulnerable.

Information

Bugtraq ID: 102130
Class: Input Validation Error
CVE: CVE-2017-17383

Remote: Yes
Local: No
Published: Dec 06 2017 12:00AM
Updated: Dec 11 2017 03:11PM
Credit: Dhiraj Datar of Lakhshya Cyber Security Labs.
Vulnerable: Jenkins-Ci Jenkins 2.93
Jenkins-Ci Jenkins 2.92
Jenkins-Ci Jenkins 2.90
Jenkins-Ci Jenkins 2.89
Jenkins-Ci Jenkins 2.88
Jenkins-Ci Jenkins 2.57
Jenkins-Ci Jenkins 2.56
Jenkins-Ci Jenkins 2.44
Jenkins-Ci Jenkins 2.43
Jenkins-Ci Jenkins 2.32
Jenkins-Ci Jenkins 2.31
Jenkins-Ci Jenkins 2.3
Jenkins-Ci Jenkins 2.2
Jenkins-Ci Jenkins 2.1
Jenkins-Ci Jenkins 2.0

Not Vulnerable:

Exploit

An attacker can exploit these issues using a web browser.

References:

• Jenkins CI Homepage (Jenkins CI)
  
• Jenkins Security Advisory 2017-12-05 (Jenkins)
  

Source: www.securityfocus.com