Reflected XSS vulnerability in Jenkins markup formatter preview
Moderate severity
GitHub Reviewed
Published
May 24, 2022
to the GitHub Advisory Database
•
Updated Dec 14, 2023
Package
Affected versions
<= 2.263.1
>= 2.264, <= 2.274
Patched versions
2.263.2
2.275
Description
Published by the National Vulnerability Database
Jan 13, 2021
Published to the GitHub Advisory Database
May 24, 2022
Reviewed
Jun 24, 2022
Last updated
Dec 14, 2023
Jenkins allows administrators to choose the markup formatter to use for descriptions of jobs, builds, views, etc. displayed in Jenkins. When editing such a description, users can choose to have Jenkins render a formatted preview of the description they entered.
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not implement any restrictions for the URL rendering the formatted preview of markup passed as a query parameter. This results in a reflected cross-site scripting (XSS) vulnerability if the configured markup formatter does not prohibit unsafe elements (JavaScript) in markup, like Anything Goes Formatter Plugin.
Jenkins 2.275, LTS 2.263.2 requires that preview URLs are accessed using POST and sets Content-Security-Policy headers that prevent execution of unsafe elements when the URL is accessed directly.
In case of problems with this change, these protections can be disabled by setting the Java system properties
hudson.markup.MarkupFormatter.previewsAllowGET
totrue
and/orhudson.markup.MarkupFormatter.previewsSetCSP
tofalse
. Doing either is discouraged.References