CVE-2017-2601
MEDIUMJenkins < 2.44 and < 2.32.2 - Stored Cross-Site Scripting in Parameter Names and Descriptions
Title source: llmDescription
Jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting in parameter names and descriptions (SECURITY-353). Users with the permission to configure jobs were able to inject JavaScript into parameter names and descriptions.
References (9)
Core 9
Core References
Issue Tracking, Patch, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2601
Patch, Third Party Advisory
https://github.com/jenkinsci/jenkins/commit/fd2e081b947124c90bcd97bfc55e1a7f2ef41a74
Vendor Advisory
https://jenkins.io/security/advisory/2017-02-01/
Third Party Advisory, VDB Entry vdb-entry
http://www.securityfocus.com/bid/95960
Mailing List, Third Party Advisory mailing-list
http://www.openwall.com/lists/oss-security/2022/04/12/5
Mailing List, Third Party Advisory mailing-list
http://www.openwall.com/lists/oss-security/2022/05/17/8
Mailing List, Third Party Advisory mailing-list
http://www.openwall.com/lists/oss-security/2022/06/22/3
Mailing List, Third Party Advisory mailing-list
http://www.openwall.com/lists/oss-security/2022/06/30/3
Mailing List mailing-list
http://www.openwall.com/lists/oss-security/2022/10/19/3
Scores
CVSS v3
5.4
EPSS
0.0033
EPSS Percentile
55.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (3)
jenkins/jenkins
< 2.32.2
jenkins/jenkins
< 2.44
org.jenkins-ci.main/jenkins-core
0 - 2.32.2Maven
Published
May 10, 2018
Tracked Since
Feb 18, 2026