CVE-2017-2607 — Improper Neutralization of Input During Web Page Generation in Jenkins

Description

Jenkins before versions 2.44 and 2.32.2 is vulnerable to a persisted cross-site scripting vulnerability in console notes (SECURITY-382). Jenkins allows plugins to annotate build logs, adding new content or changing the presentation of existing content while the build is running. Malicious Jenkins users, or users with SCM access, could configure jobs or modify build scripts such that they print serialized console notes that perform cross-site scripting attacks on Jenkins users viewing the build logs.

How to fix CVE-2017-2607

To remediate CVE-2017-2607, upgrade the affected package to a fixed version below.

—upgrade to 2.32.2 or later

Is CVE-2017-2607 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.32.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-2607
PATCHgithub.com/jenkinsci/jenkins
WEBbugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2607
WEBwww.securityfocus.com/bid/95963