Low severityNVD Advisory· Published Dec 1, 2011· Updated Apr 29, 2026
CVE-2011-4344
CVE-2011-4344
Description
Cross-site scripting (XSS) vulnerability in Jenkins Core in Jenkins before 1.438, and 1.409 LTS before 1.409.3 LTS, when a stand-alone container is used, allows remote attackers to inject arbitrary web script or HTML via vectors related to error messages.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.main:jenkins-coreMaven | < 1.409.3 | 1.409.3 |
org.jenkins-ci.main:jenkins-coreMaven | >= 1.410, < 1.438 | 1.438 |
Affected products
4cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*range: <=1.437
- cpe:2.3:a:jenkins:jenkins:1.409.1:*:*:*:lts:*:*:*
- cpe:2.3:a:jenkins:jenkins:1.409.2:*:*:*:lts:*:*:*
Patches
1410ed3001d51escape error messages which are supposed be plain text and not markup
3 files changed · +19 −2
src/java/winstone/ErrorServlet.java+1 −1 modified@@ -42,7 +42,7 @@ public void service(ServletRequest request, ServletResponse response) throws Ser // If we are here there was no error servlet, so show the default error page String output = Launcher.RESOURCES.getString("WinstoneResponse.ErrorPage", - new String[] { sc + "", (msg == null ? "" : msg), sw.toString(), + new String[] { sc + "", URIUtil.htmlEscape(msg == null ? "" : msg), URIUtil.htmlEscape(sw.toString()), Launcher.RESOURCES.getString("ServerVersion"), "" + new Date() }); response.setContentLength(output.getBytes(response.getCharacterEncoding()).length);
src/java/winstone/URIUtil.java+17 −0 modified@@ -50,4 +50,21 @@ static String canonicalPath(String path) { return buf.toString(); } + /** + * Performs necessary escaping to render arbitrary plain text as plain text without any markup. + */ + public static String htmlEscape(String text) { + StringBuilder buf = new StringBuilder(text.length()+64); + for( int i=0; i<text.length(); i++ ) { + char ch = text.charAt(i); + if(ch=='<') + buf.append("<"); + else + if(ch=='&') + buf.append("&"); + else + buf.append(ch); + } + return buf.toString(); + } }
src/java/winstone/WinstoneResponse.java+1 −1 modified@@ -805,7 +805,7 @@ public void sendError(int sc, String msg) throws IOException { this.statusCode = sc; } String output = Launcher.RESOURCES.getString("WinstoneResponse.ErrorPage", - new String[] { sc + "", (msg == null ? "" : msg), "", + new String[] { sc + "", URIUtil.htmlEscape(msg == null ? "" : msg), "", Launcher.RESOURCES.getString("ServerVersion"), "" + new Date() }); setContentLength(output.getBytes(getCharacterEncoding()).length);
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- openwall.com/lists/oss-security/2011/11/23/5nvdPatchWEB
- openwall.com/lists/oss-security/2011/11/23/6nvdPatchWEB
- www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2011-11-08.cbnvdPatchVendor AdvisoryWEB
- github.com/jenkinsci/winstone/commit/410ed3001d51c689cf59085b7417466caa2ded7b.patchnvdPatchWEB
- github.com/advisories/GHSA-q3rp-555r-hh6rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2011-4344ghsaADVISORY
- groups.google.com/group/jenkinsci-advisories/msg/1b94588f90f876b5nvdWEB
- web.archive.org/web/20200229031004/https://www.securityfocus.com/bid/50786ghsaWEB
- secunia.com/advisories/46911nvd
- www.securityfocus.com/bid/50786nvd
News mentions
0No linked articles in our index yet.