VYPR
← All advisories
Moderate severityNVD Advisory· Published Oct 17, 2014· Updated May 6, 2026

CVE-2014-2065

CVE-2014-2065

Description

Cross-site scripting (XSS) vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to inject arbitrary web script or HTML via the iconSize cookie.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.jenkins-ci.main:jenkins-coreMaven
>= 1.533, < 1.5511.551
org.jenkins-ci.main:jenkins-coreMaven
< 1.532.21.532.2

Affected products

2
  • Jenkins/Jenkins2 versions
    cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*range: <=1.550
    • cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*range: <=1.532.1

Patches

1
a0b00508eeb7

[FIXED SECURITY-77] XSS in iconSize cookie.

https://github.com/jenkinsci/jenkinsJesse GlickFeb 7, 2014via ghsa
commit
4 files changed · +15 7
  • core/src/main/java/hudson/Functions.java+11 0 modified
    @@ -123,6 +123,8 @@
 import java.util.logging.SimpleFormatter;
 import java.util.regex.Pattern;
 import org.apache.commons.lang.StringUtils;
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
 
 /**
  * Utility functions used in views.
@@ -426,6 +428,15 @@ public static String getCookie(HttpServletRequest req,String name, String defaul
         return c.getValue();
     }
 
+    private static final Pattern ICON_SIZE = Pattern.compile("\\d+x\\d+");
+    @Restricted(NoExternalUse.class)
+    public static String validateIconSize(String iconSize) throws SecurityException {
+        if (!ICON_SIZE.matcher(iconSize).matches()) {
+            throw new SecurityException("invalid iconSize");
+        }
+        return iconSize;
+    }
+
     /**
      * Gets the suffix to use for YUI JavaScript.
      */
  • core/src/main/java/hudson/model/View.java+1 1 modified
    @@ -766,7 +766,7 @@ public AsynchPeople(View parent) {
 
         {
             StaplerRequest req = Stapler.getCurrentRequest();
-            iconSize = req != null ? Functions.getCookie(req, "iconSize", "32x32") : "32x32";
+            iconSize = req != null ? Functions.validateIconSize(Functions.getCookie(req, "iconSize", "32x32")) : "32x32";
         }
 
         @Override protected void compute() throws Exception {
  • core/src/main/java/jenkins/model/Jenkins.java+2 5 modified
    @@ -295,7 +295,6 @@
 import static java.util.logging.Level.SEVERE;
 import java.util.logging.LogRecord;
 import java.util.logging.Logger;
-import java.util.regex.Pattern;
 import javax.annotation.CheckForNull;
 import javax.annotation.Nonnull;
 import javax.annotation.Nullable;
@@ -3417,9 +3416,9 @@ public void doSignup( StaplerRequest req, StaplerResponse rsp ) throws IOExcepti
      */
     public void doIconSize( StaplerRequest req, StaplerResponse rsp ) throws IOException, ServletException {
         String qs = req.getQueryString();
-        if(qs==null || !ICON_SIZE.matcher(qs).matches())
+        if(qs==null)
             throw new ServletException();
-        Cookie cookie = new Cookie("iconSize", qs);
+        Cookie cookie = new Cookie("iconSize", Functions.validateIconSize(qs));
         cookie.setMaxAge(/* ~4 mo. */9999999); // #762
         rsp.addCookie(cookie);
         String ref = req.getHeader("Referer");
@@ -3964,8 +3963,6 @@ public static VersionNumber getVersion() {
 
     private static final Logger LOGGER = Logger.getLogger(Jenkins.class.getName());
 
-    private static final Pattern ICON_SIZE = Pattern.compile("\\d+x\\d+");
-
     public static final PermissionGroup PERMISSIONS = Permission.HUDSON_PERMISSIONS;
     public static final Permission ADMINISTER = Permission.HUDSON_ADMINISTER;
     public static final Permission READ = new Permission(PERMISSIONS,"Read",Messages._Hudson_ReadPermission_Description(),Permission.READ,PermissionScope.JENKINS);
  • core/src/main/resources/lib/hudson/setIconSize.jelly+1 1 modified
    @@ -27,7 +27,7 @@ THE SOFTWARE.
 -->
 <?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:x="jelly:xml" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
-  <j:set scope="parent" var="iconSize" value="${h.getCookie(request,'iconSize','32x32')}" />
+  <j:set scope="parent" var="iconSize" value="${h.validateIconSize(h.getCookie(request,'iconSize','32x32'))}" />
   <!--
     balls look smaller than their actual size,
     so we try not to make the secondary icons look bigger than the icon.

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.