Search...

Jenkins 2.235.3 - 'Description' Stored XSS

2020-12-11T00:00:00

ID EDB-ID:49237
Type exploitdb
Reporter Exploit-DB
Modified 2020-12-11T00:00:00

Description

                                        
                                            # Exploit Title: Jenkins 2.235.3 - 'Description' Stored XSS 
# Date: 11/12/2020
# Exploit Author: gx1
# Vendor Homepage: https://www.jenkins.io/
# Software Link:  https://updates.jenkins-ci.org/download/war/
# Version: &lt;= 2.251 and &lt;= LTS 2.235.3
# Tested on: any
# CVE :  CVE-2020-2230

# References: 
https://www.jenkins.io/security/advisory/2020-08-12/#SECURITY-1957
https://www.openwall.com/lists/oss-security/2020/08/12/4

Vendor Description: 

Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the project naming strategy description that is displayed on item creation.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Overall/Manage permission.
Jenkins 2.252, LTS 2.235.4 escapes the project naming strategy description.

Technical Details and Exploitation: 

As it is possible to observe from patch commit: 
https://github.com/jenkinsci/jenkins/pull/4918/commits/7529ce8905910849e890b7e26d6563e0d56189d2

The fix to solve the vulnerability is applied in activateValidationMessage function to 'war/src/main/js/add-item.js' javascript file: 
function activateValidationMessage(messageId, context, message) {	
	...
	$(messageId, context).html('&#187; ' + message);	// AFTER FIX: $(messageId, context).text('» ' + message);
	...
}


The function is called during the creation of a new Item, on "blur input" event (when text element of name input is focused): 

    $('input[name="name"]', '#createItem').on("blur input", function() {
      if (!isItemNameEmpty()) {
        var itemName = $('input[name="name"]', '#createItem').val();
        $.get("checkJobName", { value: itemName }).done(function(data) {
          var message = parseResponseFromCheckJobName(data);
          if (message !== '') {
            activateValidationMessage('#itemname-invalid', '.add-item-name', message); // INJECTION HERE 
          } else {
            cleanValidationMessages('.add-item-name');
            showInputHelp('.add-item-name');
            setFieldValidationStatus('name', true);
            if (getFormValidationStatus()) {
              enableSubmit(true);
            }
          }
        });
      } else {
		....
        activateValidationMessage('#itemname-required', '.add-item-name');
      }
    });
	
as "message" param is the injection point, we need to trigger an "invalid item name": when you are creating a new item and the name is not compliant with validation rules, an error is triggered. Error message is not escaped for vulnerable versions, so it is vulnerable to XSS. 
Validation rules can trigger an error in several ways, for example: 
- if the current item name is equal to an already existent item name; 
- if a project naming strategy is defined: in this case, if the project name is not compliant with a regex strategy, a error message is shown. 

In the first case Jenkins seems to be protected because when a new project is created, it is not possible to insert malicious characters (such as &lt;,&gt;). 
In the second case, the error message also shows a description, that can be provided by the user during the regex strategy creation. In description field, it is possible to inject malicious characters, so it is possible to insert an XSS payload in description field.
When the user insert a name that is not compliant with project naming strategy, the XSS is triggered. 

Proof Of Concept: 

1. In &lt;jenkins_url&gt;/configure create a new Project Naming Strategy (enable checkbox "Restrict project naming") containing the following values:    
Pattern: ^TEST.* 
Description: GX1h4ck &lt;img src=a onerror=alert(1)&gt;  

2. Go to New element creation section (/&lt;jenkins_url&gt;/jenkins/view/all/newJob). 
When you insert a character in the name field, alert is triggered.  

Solution: 

The following releases contain fixes for security vulnerabilities:
* Jenkins 2.252
* Jenkins LTS 2.235.4

JSON Vulners Source

Initial Source

{"id": "EDB-ID:49237", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Jenkins 2.235.3 - 'Description' Stored XSS", "description": "", "published": "2020-12-11T00:00:00", "modified": "2020-12-11T00:00:00", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}, "href": "https://www.exploit-db.com/exploits/49237", "reporter": "Exploit-DB", "references": [], "cvelist": ["CVE-2020-2230"], "lastseen": "2020-12-11T16:24:23", "viewCount": 436, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2020-2230"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160443"]}, {"type": "freebsd", "idList": ["EEF0D2D9-78C0-441E-8B03-454C5BAEBE20"]}, {"type": "nessus", "idList": ["FREEBSD_PKG_EEF0D2D978C0441E8B03454C5BAEBE20.NASL", "JENKINS_2_252.NASL", "REDHAT-RHSA-2020-3841.NASL", "REDHAT-RHSA-2020-4223.NASL"]}, {"type": "redhat", "idList": ["RHSA-2020:3841", "RHSA-2020:4223", "RHSA-2020:4220", "RHSA-2020:3808"]}], "modified": "2020-12-11T16:24:23", "rev": 2}, "score": {"value": 4.0, "vector": "NONE", "modified": "2020-12-11T16:24:23", "rev": 2}, "vulnersScore": 4.0}, "sourceHref": "https://www.exploit-db.com/download/49237", "sourceData": "# Exploit Title: Jenkins 2.235.3 - 'Description' Stored XSS \r\n# Date: 11/12/2020\r\n# Exploit Author: gx1\r\n# Vendor Homepage: https://www.jenkins.io/\r\n# Software Link: https://updates.jenkins-ci.org/download/war/\r\n# Version: <= 2.251 and <= LTS 2.235.3\r\n# Tested on: any\r\n# CVE : CVE-2020-2230\r\n\r\n# References: \r\nhttps://www.jenkins.io/security/advisory/2020-08-12/#SECURITY-1957\r\nhttps://www.openwall.com/lists/oss-security/2020/08/12/4\r\n\r\nVendor Description: \r\n\r\nJenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the project naming strategy description that is displayed on item creation.\r\nThis results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Overall/Manage permission.\r\nJenkins 2.252, LTS 2.235.4 escapes the project naming strategy description.\r\n\r\nTechnical Details and Exploitation: \r\n\r\nAs it is possible to observe from patch commit: \r\nhttps://github.com/jenkinsci/jenkins/pull/4918/commits/7529ce8905910849e890b7e26d6563e0d56189d2\r\n\r\nThe fix to solve the vulnerability is applied in activateValidationMessage function to 'war/src/main/js/add-item.js' javascript file: \r\nfunction activateValidationMessage(messageId, context, message) {\t\r\n\t...\r\n\t$(messageId, context).html('» ' + message);\t// AFTER FIX: $(messageId, context).text('\u00bb ' + message);\r\n\t...\r\n}\r\n\r\n\r\nThe function is called during the creation of a new Item, on \"blur input\" event (when text element of name input is focused): \r\n\r\n $('input[name=\"name\"]', '#createItem').on(\"blur input\", function() {\r\n if (!isItemNameEmpty()) {\r\n var itemName = $('input[name=\"name\"]', '#createItem').val();\r\n $.get(\"checkJobName\", { value: itemName }).done(function(data) {\r\n var message = parseResponseFromCheckJobName(data);\r\n if (message !== '') {\r\n activateValidationMessage('#itemname-invalid', '.add-item-name', message); // INJECTION HERE \r\n } else {\r\n cleanValidationMessages('.add-item-name');\r\n showInputHelp('.add-item-name');\r\n setFieldValidationStatus('name', true);\r\n if (getFormValidationStatus()) {\r\n enableSubmit(true);\r\n }\r\n }\r\n });\r\n } else {\r\n\t\t....\r\n activateValidationMessage('#itemname-required', '.add-item-name');\r\n }\r\n });\r\n\t\r\nas \"message\" param is the injection point, we need to trigger an \"invalid item name\": when you are creating a new item and the name is not compliant with validation rules, an error is triggered. Error message is not escaped for vulnerable versions, so it is vulnerable to XSS. \r\nValidation rules can trigger an error in several ways, for example: \r\n- if the current item name is equal to an already existent item name; \r\n- if a project naming strategy is defined: in this case, if the project name is not compliant with a regex strategy, a error message is shown. \r\n\r\nIn the first case Jenkins seems to be protected because when a new project is created, it is not possible to insert malicious characters (such as <,>). \r\nIn the second case, the error message also shows a description, that can be provided by the user during the regex strategy creation. In description field, it is possible to inject malicious characters, so it is possible to insert an XSS payload in description field.\r\nWhen the user insert a name that is not compliant with project naming strategy, the XSS is triggered. \r\n\r\nProof Of Concept: \r\n\r\n1. In <jenkins_url>/configure create a new Project Naming Strategy (enable checkbox \"Restrict project naming\") containing the following values: \r\nPattern: ^TEST.* \r\nDescription: GX1h4ck <img src=a onerror=alert(1)> \r\n\r\n2. Go to New element creation section (/<jenkins_url>/jenkins/view/all/newJob). \r\nWhen you insert a character in the name field, alert is triggered. \r\n\r\nSolution: \r\n\r\nThe following releases contain fixes for security vulnerabilities:\r\n* Jenkins 2.252\r\n* Jenkins LTS 2.235.4", "osvdbidlist": []}

{"cve": [{"lastseen": "2020-12-12T13:01:40", "description": "Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the project naming strategy description, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users with Overall/Manage permission.", "edition": 7, "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 5.4, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2020-08-12T14:15:00", "title": "CVE-2020-2230", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-2230"], "modified": "2020-12-11T20:15:00", "cpe": ["cpe:/a:jenkins:jenkins:2.235.3", "cpe:/a:jenkins:jenkins:2.251"], "id": "CVE-2020-2230", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-2230", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:jenkins:jenkins:2.251:*:*:*:-:*:*:*", "cpe:2.3:a:jenkins:jenkins:2.235.3:*:*:*:lts:*:*:*"]}], "packetstorm": [{"lastseen": "2020-12-12T02:52:44", "description": "", "published": "2020-12-11T00:00:00", "type": "packetstorm", "title": "Jenkins 2.235.3 Cross Site Scripting", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-2229", "CVE-2020-2230"], "modified": "2020-12-11T00:00:00", "id": "PACKETSTORM:160443", "href": "https://packetstormsecurity.com/files/160443/Jenkins-2.235.3-Cross-Site-Scripting.html", "sourceData": "`# Exploit Title: Jenkins 2.235.3 - 'tooltip' Stored Cross-Site Scripting \n# Date: 11/12/2020 \n# Exploit Author: gx1 \n# Vendor Homepage: https://www.jenkins.io/ \n# Software Link: https://updates.jenkins-ci.org/download/war/ \n# Version: <= 2.251 and <= LTS 2.235.3 \n# Tested on: any \n# CVE : CVE-2020-2229 \n \n# References: \nhttps://www.jenkins.io/security/advisory/2020-08-12/#SECURITY-1955 \nhttps://www.openwall.com/lists/oss-security/2020/08/12/4 \n \nVendor Description: \n \nJenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the tooltip content of help icons. \nTooltip values can be contributed by plugins, some of which use user-specified values. \nThis results in a stored cross-site scripting (XSS) vulnerability. \nJenkins 2.252, LTS 2.235.4 escapes the tooltip content of help icons. \n \nTechnical Details and Exploitation: \n \nAs it is possible to observe from patch commit: \nhttps://github.com/jenkinsci/jenkins/pull/4918/commits/c991b45b5bae09f9894acdc1f1fb1d8809fe6ef6 \nThe fix to solve the vulnerability is applied to 'core/src/main/resources/lib/layout/svgIcon.jelly' tooltip attribute: \n \n<svg class=\"svg-icon ${attrs.class}\" \nviewBox=\"${attrs.viewBox != null ? attrs.viewBox : '0 0 24 24'}\" \nfocusable=\"${attrs.focusable != null ? attrs.focusable : 'false'}\" \naria-hidden=\"${attrs.ariaHidden != null ? attrs.ariaHidden : ''}\" \nstyle=\"${attrs.style}\" \nonclick=\"${attrs.onclick}\" \ntooltip=\"${h.xmlEscape(attrs.tooltip ?: '')}\"> \n \nsvgIcon is a layout element belonging to jenkins core: https://reports.jenkins.io/core-taglib/jelly-taglib-ref.html#layout:svgIcon \nAs suggested by Jenkins documentation (https://www.jenkins.io/doc/developer/security/xss-prevention/) \n\"Note that this only affects the use of ${...} among PCDATA, and not in attribute values, so that Jelly tag invocations don\u2019t result in surprising behavior.\" \nTooltip attribute can contain HTML code, as suggested in form section: https://www.jenkins.io/doc/developer/forms/adding-tool-tips/ \nFor this reason, it is possible to inject XSS code in a Jenkins system by uploading a plugin that contains an <j:svgIcon> element containing a malicious XSS payload in tooltip attribute: \n \n<l:svgIcon tooltip=\"<img src=a onerror=alert(1)>\">...</l:svgIcon> \n \nTo build a Jenkins plugin, visit https://www.jenkins.io/doc/developer/tutorial/create/ . \nTo obtain information about Jelly syntax, visit https://wiki.jenkins.io/display/JENKINS/Basic+guide+to+Jelly+usage+in+Jenkins \n \nProof Of Concept: \n \n1. Obtain access to upload Jenkins plugins, or find plugins that can insert svgIcon element. \n2. Generate a plugin. For example, you can create a class that implements ModelObjectWithContextMenu interface to create a context menu and implement the method getUrlName() \ncontaining a <plugin-url> string that you can navigate by using the link: http(s)://<jenkins_server>/<plugin-url> \n \n3. In jelly file, insert the following element: \n \n<l:svgIcon tooltip=\"<img src=a onerror=alert(1)>\"><path d=\"M9 16.17L4.83 12l-1.42 1.41L9 19 21 7l-1.41-1.41z\"></path></l:svgIcon> \n \nThis creates an icon that triggers the Cross-Site Scripting when the mouse is over and opens tooltip. Obviously, you can use css and large size and height to generate a svg element that covers all the screen in order to trigger the XSS when the user navigates the page. \n \nSolution: \n \nThe following releases contain fixes for security vulnerabilities: \n* Jenkins 2.252 \n* Jenkins LTS 2.235.4 \n \n \n------- \n \n \n \n# Exploit Title: Jenkins 2.235.3 - 'Description' Stored XSS \n# Date: 11/12/2020 \n# Exploit Author: gx1 \n# Vendor Homepage: https://www.jenkins.io/ \n# Software Link: https://updates.jenkins-ci.org/download/war/ \n# Version: <= 2.251 and <= LTS 2.235.3 \n# Tested on: any \n# CVE : CVE-2020-2230 \n \n# References: \nhttps://www.jenkins.io/security/advisory/2020-08-12/#SECURITY-1957 \nhttps://www.openwall.com/lists/oss-security/2020/08/12/4 \n \nVendor Description: \n \nJenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the project naming strategy description that is displayed on item creation. \nThis results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Overall/Manage permission. \nJenkins 2.252, LTS 2.235.4 escapes the project naming strategy description. \n \nTechnical Details and Exploitation: \n \nAs it is possible to observe from patch commit: \nhttps://github.com/jenkinsci/jenkins/pull/4918/commits/7529ce8905910849e890b7e26d6563e0d56189d2 \n \nThe fix to solve the vulnerability is applied in activateValidationMessage function to 'war/src/main/js/add-item.js' javascript file: \nfunction activateValidationMessage(messageId, context, message) { \n... \n$(messageId, context).html('\u00bb ' + message); // AFTER FIX: $(messageId, context).text('\u00c2\u00bb ' + message); \n... \n} \n \n \nThe function is called during the creation of a new Item, on \"blur input\" event (when text element of name input is focused): \n \n$('input[name=\"name\"]', '#createItem').on(\"blur input\", function() { \nif (!isItemNameEmpty()) { \nvar itemName = $('input[name=\"name\"]', '#createItem').val(); \n$.get(\"checkJobName\", { value: itemName }).done(function(data) { \nvar message = parseResponseFromCheckJobName(data); \nif (message !== '') { \nactivateValidationMessage('#itemname-invalid', '.add-item-name', message); // INJECTION HERE \n} else { \ncleanValidationMessages('.add-item-name'); \nshowInputHelp('.add-item-name'); \nsetFieldValidationStatus('name', true); \nif (getFormValidationStatus()) { \nenableSubmit(true); \n} \n} \n}); \n} else { \n.... \nactivateValidationMessage('#itemname-required', '.add-item-name'); \n} \n}); \n \nas \"message\" param is the injection point, we need to trigger an \"invalid item name\": when you are creating a new item and the name is not compliant with validation rules, an error is triggered. Error message is not escaped for vulnerable versions, so it is vulnerable to XSS. \nValidation rules can trigger an error in several ways, for example: \n- if the current item name is equal to an already existent item name; \n- if a project naming strategy is defined: in this case, if the project name is not compliant with a regex strategy, a error message is shown. \n \nIn the first case Jenkins seems to be protected because when a new project is created, it is not possible to insert malicious characters (such as <,>). \nIn the second case, the error message also shows a description, that can be provided by the user during the regex strategy creation. In description field, it is possible to inject malicious characters, so it is possible to insert an XSS payload in description field. \nWhen the user insert a name that is not compliant with project naming strategy, the XSS is triggered. \n \nProof Of Concept: \n \n1. In <jenkins_url>/configure create a new Project Naming Strategy (enable checkbox \"Restrict project naming\") containing the following values: \nPattern: ^TEST.* \nDescription: GX1h4ck <img src=a onerror=alert(1)> \n \n2. Go to New element creation section (/<jenkins_url>/jenkins/view/all/newJob). \nWhen you insert a character in the name field, alert is triggered. \n \nSolution: \n \nThe following releases contain fixes for security vulnerabilities: \n* Jenkins 2.252 \n* Jenkins LTS 2.235.4 \n \n \n`\n", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}, "sourceHref": "https://packetstormsecurity.com/files/download/160443/jenkins2353-xss.txt"}], "freebsd": [{"lastseen": "2020-08-15T13:34:27", "bulletinFamily": "unix", "cvelist": ["CVE-2020-2229", "CVE-2020-2231", "CVE-2020-2230"], "description": "\nJenkins Security Advisory:\n\nDescription\n(High) SECURITY-1955 / CVE-2020-2229\nStored XSS vulnerability in help icons\n(High) SECURITY-1957 / CVE-2020-2230\nStored XSS vulnerability in project naming strategy\n(High) SECURITY-1960 / CVE-2020-2231\nStored XSS vulnerability in 'Trigger builds remotely'\n\n", "edition": 2, "modified": "2020-08-12T00:00:00", "published": "2020-08-12T00:00:00", "id": "EEF0D2D9-78C0-441E-8B03-454C5BAEBE20", "href": "https://vuxml.freebsd.org/freebsd/eef0d2d9-78c0-441e-8b03-454c5baebe20.html", "title": "jenkins -- multiple vulnerabilities", "type": "freebsd", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}], "nessus": [{"lastseen": "2020-12-16T10:45:45", "description": "Jenkins Security Advisory : Description(High) SECURITY-1955 /\nCVE-2020-2229 Stored XSS vulnerability in help icons (High)\nSECURITY-1957 / CVE-2020-2230 Stored XSS vulnerability in project\nnaming strategy (High) SECURITY-1960 / CVE-2020-2231 Stored XSS\nvulnerability in 'Trigger builds remotely'", "edition": 7, "cvss3": {"score": 5.4, "vector": "AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}, "published": "2020-08-13T00:00:00", "title": "FreeBSD : jenkins -- multiple vulnerabilities (eef0d2d9-78c0-441e-8b03-454c5baebe20)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-2229", "CVE-2020-2231", "CVE-2020-2230"], "modified": "2020-08-13T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:jenkins", "p-cpe:/a:freebsd:freebsd:jenkins-lts"], "id": "FREEBSD_PKG_EEF0D2D978C0441E8B03454C5BAEBE20.NASL", "href": "https://www.tenable.com/plugins/nessus/139557", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2020 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(139557);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/12/15\");\n\n script_cve_id(\"CVE-2020-2229\", \"CVE-2020-2230\", \"CVE-2020-2231\");\n script_xref(name:\"IAVA\", value:\"2020-A-0380\");\n\n script_name(english:\"FreeBSD : jenkins -- multiple vulnerabilities (eef0d2d9-78c0-441e-8b03-454c5baebe20)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Jenkins Security Advisory : Description(High) SECURITY-1955 /\nCVE-2020-2229 Stored XSS vulnerability in help icons (High)\nSECURITY-1957 / CVE-2020-2230 Stored XSS vulnerability in project\nnaming strategy (High) SECURITY-1960 / CVE-2020-2231 Stored XSS\nvulnerability in 'Trigger builds remotely'\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.jenkins.io/security/advisory/2020-08-12/\"\n );\n # https://vuxml.freebsd.org/freebsd/eef0d2d9-78c0-441e-8b03-454c5baebe20.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?83266147\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:jenkins\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:jenkins-lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/08/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/08/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/08/13\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"jenkins<2.252\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"jenkins-lts<2.235.4\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:pkg_report_get());\n else security_note(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2020-12-16T11:18:44", "description": "The version of Jenkins running on the remote web server is prior to 2.252 or is a version of Jenkins LTS prior to\n2.235.4. It is, therefore, affected by multiple cross-site scripting vulnerabilities due to improper validation of \nuser-supplied input before returning it to users. An authenticated, remote attacker can exploit this to execute \narbitrary script code in a user's browser session.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.", "edition": 4, "cvss3": {"score": 5.4, "vector": "AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}, "published": "2020-08-20T00:00:00", "title": "Jenkins < 2.235.4 LTS / 2.252 Multiple Cross-Site Scripting (XSS) Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-2229", "CVE-2020-2231", "CVE-2020-2230"], "modified": "2020-08-20T00:00:00", "cpe": ["cpe:/a:cloudbees:jenkins", "cpe:/a:jenkins:jenkins"], "id": "JENKINS_2_252.NASL", "href": "https://www.tenable.com/plugins/nessus/139726", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(139726);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/12/14\");\n\n script_cve_id(\"CVE-2020-2229\", \"CVE-2020-2230\", \"CVE-2020-2231\");\n script_xref(name:\"IAVA\", value:\"2020-A-0380\");\n\n script_name(english:\"Jenkins < 2.235.4 LTS / 2.252 Multiple Cross-Site Scripting (XSS) Vulnerabilities\");\n script_summary(english:\"Checks the Jenkins version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A job scheduling and management system hosted on the remote web server is affected by multiple cross-site scripting vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Jenkins running on the remote web server is prior to 2.252 or is a version of Jenkins LTS prior to\n2.235.4. It is, therefore, affected by multiple cross-site scripting vulnerabilities due to improper validation of \nuser-supplied input before returning it to users. An authenticated, remote attacker can exploit this to execute \narbitrary script code in a user's browser session.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://jenkins.io/security/advisory/2020-08-12/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade Jenkins to version 2.252 or later, Jenkins LTS to version 2.235.4 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-2229\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/08/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/08/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/08/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cloudbees:jenkins\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:jenkins:jenkins\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"jenkins_detect.nasl\");\n script_require_keys(\"www/Jenkins\");\n script_require_ports(\"Services/www\", 8080);\n\n exit(0);\n}\n\ninclude('http.inc');\ninclude('vcf.inc');\n\nport = get_http_port(default:8080);\napp = vcf::get_app_info(app:'Jenkins', webapp:TRUE, port:port);\n\nif(app['LTS'])\n fixed_version = '2.235.4';\nelse\n fixed_version = '2.252';\n\nconstraints = [{'fixed_version' : fixed_version, 'fixed_display' : '2.235.4 LTS / 2.252'}];\n\nvcf::check_version_and_report(\n app_info:app,\n constraints:constraints,\n severity:SECURITY_NOTE,\n flags:{xss:true},\n strict:FALSE\n);\n\n", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2020-12-16T13:31:54", "description": "The remote Redhat Enterprise Linux 7 host has a package installed that is affected by multiple vulnerabilities as\nreferenced in the RHSA-2020:4223 advisory.\n\n - jetty: double release of resource can lead to information disclosure (CVE-2019-17638)\n\n - jenkins: user-specified tooltip values leads to stored cross-site scripting (CVE-2020-2229)\n\n - jenkins: stored XSS vulnerability in project naming strategy (CVE-2020-2230)\n\n - jenkins: stored XSS vulnerability in 'trigger builds remotely' (CVE-2020-2231)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 3, "cvss3": {"score": 9.4, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"}, "published": "2020-10-22T00:00:00", "title": "RHEL 7 : OpenShift Container Platform 3.11.306 jenkins (RHSA-2020:4223)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-2229", "CVE-2019-17638", "CVE-2020-2231", "CVE-2020-2230"], "modified": "2020-10-22T00:00:00", "cpe": ["cpe:/a:redhat:openshift:3.11", "p-cpe:/a:redhat:enterprise_linux:jenkins", "cpe:/a:redhat:openshift:3.11::el7", "cpe:/o:redhat:enterprise_linux:7"], "id": "REDHAT-RHSA-2020-4223.NASL", "href": "https://www.tenable.com/plugins/nessus/141814", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:4223. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(141814);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/12/14\");\n\n script_cve_id(\n \"CVE-2019-17638\",\n \"CVE-2020-2229\",\n \"CVE-2020-2230\",\n \"CVE-2020-2231\"\n );\n script_xref(name:\"RHSA\", value:\"2020:4223\");\n\n script_name(english:\"RHEL 7 : OpenShift Container Platform 3.11.306 jenkins (RHSA-2020:4223)\");\n script_summary(english:\"Checks the rpm output for the updated package\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 7 host has a package installed that is affected by multiple vulnerabilities as\nreferenced in the RHSA-2020:4223 advisory.\n\n - jetty: double release of resource can lead to information disclosure (CVE-2019-17638)\n\n - jenkins: user-specified tooltip values leads to stored cross-site scripting (CVE-2020-2229)\n\n - jenkins: stored XSS vulnerability in project naming strategy (CVE-2020-2230)\n\n - jenkins: stored XSS vulnerability in 'trigger builds remotely' (CVE-2020-2231)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/79.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/200.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/672.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-17638\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-2229\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-2230\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-2231\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2020:4223\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1864680\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1874830\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1875232\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1875234\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected jenkins package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-17638\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(79, 200, 672);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/10/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/10/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:openshift:3.11\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:openshift:3.11::el7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jenkins\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat');\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Red Hat 7.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nrepositories = {\n 'openshift_3_11_el7': [\n 'rhel-7-for-power-9-ose-3.11-debug-rpms',\n 'rhel-7-for-power-9-ose-3.11-rpms',\n 'rhel-7-for-power-9-ose-3.11-source-rpms',\n 'rhel-7-for-power-le-ose-3.11-debug-rpms',\n 'rhel-7-for-power-le-ose-3.11-rpms',\n 'rhel-7-for-power-le-ose-3.11-source-rpms',\n 'rhel-7-server-ose-3.11-debug-rpms',\n 'rhel-7-server-ose-3.11-rpms',\n 'rhel-7-server-ose-3.11-source-rpms'\n ]\n};\n\nfound_repos = NULL;\nhost_repo_list = get_kb_list('Host/RedHat/repo-list/*');\nif (!(empty_or_null(host_repo_list))) {\n found_repos = make_list();\n foreach repo_key (keys(repositories)) {\n foreach repo ( repositories[repo_key] ) {\n if (get_kb_item('Host/RedHat/repo-list/' + repo)) {\n append_element(var:found_repos, value:repo_key);\n break;\n }\n }\n }\n if(empty_or_null(found_repos)) audit(AUDIT_RHSA_NOT_AFFECTED, 'RHSA-2020:4223');\n}\n\npkgs = [\n {'reference':'jenkins-2.235.5.1600415953-1.el7', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['openshift_3_11_el7']}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n repo_list = NULL;\n if (!empty_or_null(package_array['repo_list'])) repo_list = package_array['repo_list'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n repocheck = FALSE;\n if (empty_or_null(found_repos))\n {\n repocheck = TRUE;\n }\n else\n {\n foreach repo (repo_list) {\n if (contains_element(var:found_repos, value:repo))\n {\n repocheck = TRUE;\n break;\n }\n }\n }\n if (repocheck && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n if (empty_or_null(host_repo_list)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'jenkins');\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-16T13:31:24", "description": "The remote Redhat Enterprise Linux 7 host has a package installed that is affected by multiple vulnerabilities as\nreferenced in the RHSA-2020:3841 advisory.\n\n - jetty: double release of resource can lead to information disclosure (CVE-2019-17638)\n\n - jenkins: user-specified tooltip values leads to stored cross-site scripting (CVE-2020-2229)\n\n - jenkins: stored XSS vulnerability in project naming strategy (CVE-2020-2230)\n\n - jenkins: stored XSS vulnerability in 'trigger builds remotely' (CVE-2020-2231)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 3, "cvss3": {"score": 9.4, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"}, "published": "2020-10-02T00:00:00", "title": "RHEL 7 : OpenShift Container Platform 4.5.13 jenkins (RHSA-2020:3841)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-2229", "CVE-2019-17638", "CVE-2020-2231", "CVE-2020-2230"], "modified": "2020-10-02T00:00:00", "cpe": ["cpe:/a:redhat:openshift:4.5", "p-cpe:/a:redhat:enterprise_linux:jenkins", "cpe:/o:redhat:enterprise_linux:7", "cpe:/a:redhat:openshift:4.5::el7"], "id": "REDHAT-RHSA-2020-3841.NASL", "href": "https://www.tenable.com/plugins/nessus/141125", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:3841. The text\n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(141125);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/12/14\");\n\n script_cve_id(\n \"CVE-2019-17638\",\n \"CVE-2020-2229\",\n \"CVE-2020-2230\",\n \"CVE-2020-2231\"\n );\n script_xref(name:\"RHSA\", value:\"2020:3841\");\n\n script_name(english:\"RHEL 7 : OpenShift Container Platform 4.5.13 jenkins (RHSA-2020:3841)\");\n script_summary(english:\"Checks the rpm output for the updated package\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 7 host has a package installed that is affected by multiple vulnerabilities as\nreferenced in the RHSA-2020:3841 advisory.\n\n - jetty: double release of resource can lead to information disclosure (CVE-2019-17638)\n\n - jenkins: user-specified tooltip values leads to stored cross-site scripting (CVE-2020-2229)\n\n - jenkins: stored XSS vulnerability in project naming strategy (CVE-2020-2230)\n\n - jenkins: stored XSS vulnerability in 'trigger builds remotely' (CVE-2020-2231)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/79.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/200.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/672.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-17638\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-2229\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-2230\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-2231\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2020:3841\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1864680\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1874830\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1875232\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1875234\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected jenkins package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-17638\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(79, 200, 672);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/10/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:openshift:4.5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:openshift:4.5::el7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jenkins\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('lists.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat');\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Red Hat 7.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nrepositories = {\n 'openshift_4_5_el7': [\n 'rhel-7-for-power-le-ose-4.5-debug-rpms',\n 'rhel-7-for-power-le-ose-4.5-rpms',\n 'rhel-7-for-power-le-ose-4.5-source-rpms',\n 'rhel-7-for-system-z-ose-4.5-debug-rpms',\n 'rhel-7-for-system-z-ose-4.5-rpms',\n 'rhel-7-for-system-z-ose-4.5-source-rpms',\n 'rhel-7-server-ose-4.5-debug-rpms',\n 'rhel-7-server-ose-4.5-rpms',\n 'rhel-7-server-ose-4.5-source-rpms'\n ]\n};\n\nfound_repos = NULL;\nhost_repo_list = get_kb_list('Host/RedHat/repo-list/*');\nif (!(empty_or_null(host_repo_list))) {\n found_repos = make_list();\n foreach repo_key (keys(repositories)) {\n foreach repo ( repositories[repo_key] ) {\n if (get_kb_item('Host/RedHat/repo-list/' + repo)) {\n found_repos = make_list(found_repos, repo_key);\n break;\n }\n }\n }\n if(empty_or_null(found_repos)) audit(AUDIT_RHSA_NOT_AFFECTED, 'RHSA-2020:3841');\n}\n\npkgs = [\n {'reference':'jenkins-2.235.5.1600414805-1.el7', 'release':'7', 'repo_list':['openshift_4_5_el7']}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n repo_list = NULL;\n if (!empty_or_null(package_array['repo_list'])) repo_list = package_array['repo_list'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n if (empty_or_null(found_repos) || (!empty_or_null(found_repos) && collib::intersection(found_repos, repo_list))) {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n if (empty_or_null(host_repo_list)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'jenkins');\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "redhat": [{"lastseen": "2020-10-22T12:03:18", "bulletinFamily": "unix", "cvelist": ["CVE-2019-17638", "CVE-2020-2229", "CVE-2020-2230", "CVE-2020-2231"], "description": "Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.\n\nSecurity Fix(es):\n\n* jetty: Double release of resource can lead to information disclosure (CVE-2019-17638)\n\n* jenkins: User-specified tooltip values leads to stored cross-site scripting (CVE-2020-2229)\n\n* jenkins: Stored XSS vulnerability in project naming strategy (CVE-2020-2230)\n\n* jenkins: Stored XSS vulnerability in 'trigger builds remotely' (CVE-2020-2231)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2020-10-22T14:39:34", "published": "2020-10-22T14:29:39", "id": "RHSA-2020:4223", "href": "https://access.redhat.com/errata/RHSA-2020:4223", "type": "redhat", "title": "(RHSA-2020:4223) Important: OpenShift Container Platform 3.11.306 jenkins security update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-30T19:46:51", "bulletinFamily": "unix", "cvelist": ["CVE-2019-17638", "CVE-2020-2229", "CVE-2020-2230", "CVE-2020-2231"], "description": "Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.\n\nSecurity Fix(es):\n\n* jetty: double release of resource can lead to information disclosure (CVE-2019-17638)\n\n* jenkins: user-specified tooltip values leads to stored cross-site scripting (CVE-2020-2229)\n\n* jenkins: stored XSS vulnerability in project naming strategy (CVE-2020-2230)\n\n* jenkins: stored XSS vulnerability in 'trigger builds remotely' (CVE-2020-2231)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2020-09-30T22:50:42", "published": "2020-09-30T22:49:53", "id": "RHSA-2020:3841", "href": "https://access.redhat.com/errata/RHSA-2020:3841", "type": "redhat", "title": "(RHSA-2020:3841) Important: OpenShift Container Platform 4.5.13 jenkins security update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-13T10:01:49", "bulletinFamily": "unix", "cvelist": ["CVE-2019-17638", "CVE-2020-2229", "CVE-2020-2230", "CVE-2020-2231"], "description": "Red Hat OpenShift Container Platform is Red Hat's cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* jetty: Double release of resource can lead to information disclosure (CVE-2019-17638)\n\n* jenkins: User-specified tooltip values leads to stored cross-site scripting (CVE-2020-2229)\n\n* jenkins: Stored XSS vulnerability in project naming strategy (CVE-2020-2230)\n\n* jenkins: Stored XSS vulnerability in 'trigger builds remotely' (CVE-2020-2231)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2020-10-13T11:59:55", "published": "2020-10-13T11:58:37", "id": "RHSA-2020:4220", "href": "https://access.redhat.com/errata/RHSA-2020:4220", "type": "redhat", "title": "(RHSA-2020:4220) Important: OpenShift Container Platform 4.4.27 openshift-jenkins-2-container security update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-15T00:03:32", "bulletinFamily": "unix", "cvelist": ["CVE-2019-17638", "CVE-2020-2220", "CVE-2020-2221", "CVE-2020-2222", "CVE-2020-2223", "CVE-2020-2229", "CVE-2020-2230", "CVE-2020-2231", "CVE-2020-8557"], "description": "Red Hat OpenShift Container Platform is Red Hat's cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nJenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.\n\nSecurity Fix(es):\n\n* jenkins: Stored XSS vulnerability in job build time trend (CVE-2020-2220)\n\n* jenkins: Stored XSS vulnerability in upstream cause (CVE-2020-2221)\n\n* jenkins: Stored XSS vulnerability in 'keep forever' badge icons (CVE-2020-2222)\n\n* jenkins: Stored XSS vulnerability in console links (CVE-2020-2223)\n\n* kubernetes: Node disk DOS by writing to container /etc/hosts (CVE-2020-8557)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2020-10-15T03:14:07", "published": "2020-09-23T16:37:44", "id": "RHSA-2020:3808", "href": "https://access.redhat.com/errata/RHSA-2020:3808", "type": "redhat", "title": "(RHSA-2020:3808) Important: OpenShift Container Platform 4.3.38 jenkins and openshift security update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}

Jenkins 2.235.3 - &#039;Description&#039; Stored XSS

Description

Jenkins 2.235.3 - 'Description' Stored XSS