0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Jenkins 2.235.3 - (Description) Stored Cross-Site Scripting Vulnerability
Author
Risk
[
Security Risk High
]0day-ID
Category
Date add
CVE
Platform
# Exploit Title: Jenkins 2.235.3 - 'Description' Stored XSS # Exploit Author: gx1 # Vendor Homepage: https://www.jenkins.io/ # Software Link: https://updates.jenkins-ci.org/download/war/ # Version: <= 2.251 and <= LTS 2.235.3 # Tested on: any # CVE : CVE-2020-2230 # References: https://www.jenkins.io/security/advisory/2020-08-12/#SECURITY-1957 https://www.openwall.com/lists/oss-security/2020/08/12/4 Vendor Description: Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the project naming strategy description that is displayed on item creation. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Overall/Manage permission. Jenkins 2.252, LTS 2.235.4 escapes the project naming strategy description. Technical Details and Exploitation: As it is possible to observe from patch commit: https://github.com/jenkinsci/jenkins/pull/4918/commits/7529ce8905910849e890b7e26d6563e0d56189d2 The fix to solve the vulnerability is applied in activateValidationMessage function to 'war/src/main/js/add-item.js' javascript file: function activateValidationMessage(messageId, context, message) { ... $(messageId, context).html('» ' + message); // AFTER FIX: $(messageId, context).text('» ' + message); ... } The function is called during the creation of a new Item, on "blur input" event (when text element of name input is focused): $('input[name="name"]', '#createItem').on("blur input", function() { if (!isItemNameEmpty()) { var itemName = $('input[name="name"]', '#createItem').val(); $.get("checkJobName", { value: itemName }).done(function(data) { var message = parseResponseFromCheckJobName(data); if (message !== '') { activateValidationMessage('#itemname-invalid', '.add-item-name', message); // INJECTION HERE } else { cleanValidationMessages('.add-item-name'); showInputHelp('.add-item-name'); setFieldValidationStatus('name', true); if (getFormValidationStatus()) { enableSubmit(true); } } }); } else { .... activateValidationMessage('#itemname-required', '.add-item-name'); } }); as "message" param is the injection point, we need to trigger an "invalid item name": when you are creating a new item and the name is not compliant with validation rules, an error is triggered. Error message is not escaped for vulnerable versions, so it is vulnerable to XSS. Validation rules can trigger an error in several ways, for example: - if the current item name is equal to an already existent item name; - if a project naming strategy is defined: in this case, if the project name is not compliant with a regex strategy, a error message is shown. In the first case Jenkins seems to be protected because when a new project is created, it is not possible to insert malicious characters (such as <,>). In the second case, the error message also shows a description, that can be provided by the user during the regex strategy creation. In description field, it is possible to inject malicious characters, so it is possible to insert an XSS payload in description field. When the user insert a name that is not compliant with project naming strategy, the XSS is triggered. Proof Of Concept: 1. In <jenkins_url>/configure create a new Project Naming Strategy (enable checkbox "Restrict project naming") containing the following values: Pattern: ^TEST.* Description: GX1h4ck <img src=a onerror=alert(1)> 2. Go to New element creation section (/<jenkins_url>/jenkins/view/all/newJob). When you insert a character in the name field, alert is triggered. Solution: The following releases contain fixes for security vulnerabilities: * Jenkins 2.252 * Jenkins LTS 2.235.4 # 0day.today [2024-11-15] #