First published: Fri Jan 26 2018(Updated: )
Jenkins 2.88 and earlier; 2.73.2 and earlier Autocompletion suggestions for text fields were not escaped, resulting in a persisted cross-site scripting vulnerability if the source for the suggestions allowed specifying text that includes HTML metacharacters like less-than and greater-than characters.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Jenkins Jenkins | <=2.73.2 | |
Jenkins Jenkins | <=2.88 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2017-1000392 has a high severity level due to its potential for persistent cross-site scripting attacks.
To fix CVE-2017-1000392, upgrade Jenkins to version 2.89 or later.
Jenkins versions 2.88 and earlier, as well as 2.73.2 and earlier, are affected by CVE-2017-1000392.
Yes, CVE-2017-1000392 is a cross-site scripting vulnerability due to the lack of escaping in autocompletion suggestions.
Yes, CVE-2017-1000392 can potentially compromise user data through XSS, allowing attackers to execute scripts in the context of a user's session.