Moderate severityNVD Advisory· Published Oct 10, 2014· Updated May 6, 2026
CVE-2014-3678
CVE-2014-3678
Description
Cross-site scripting (XSS) vulnerability in the Monitoring plugin before 1.53.0 for Jenkins allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jvnet.hudson.plugins:monitoringMaven | < 1.53.0 | 1.53.0 |
Affected products
14cpe:2.3:a:jenkins-ci:monitoring_plugin:1.40.0:*:*:*:*:cloudbees_jenkins:*:*+ 13 more
- cpe:2.3:a:jenkins-ci:monitoring_plugin:1.40.0:*:*:*:*:cloudbees_jenkins:*:*
- cpe:2.3:a:jenkins-ci:monitoring_plugin:1.41.0:*:*:*:*:cloudbees_jenkins:*:*
- cpe:2.3:a:jenkins-ci:monitoring_plugin:1.42.0:*:*:*:*:cloudbees_jenkins:*:*
- cpe:2.3:a:jenkins-ci:monitoring_plugin:1.43.0:*:*:*:*:cloudbees_jenkins:*:*
- cpe:2.3:a:jenkins-ci:monitoring_plugin:1.44.0:*:*:*:*:cloudbees_jenkins:*:*
- cpe:2.3:a:jenkins-ci:monitoring_plugin:1.45.0:*:*:*:*:cloudbees_jenkins:*:*
- cpe:2.3:a:jenkins-ci:monitoring_plugin:1.46.0:*:*:*:*:cloudbees_jenkins:*:*
- cpe:2.3:a:jenkins-ci:monitoring_plugin:1.47.0:*:*:*:*:cloudbees_jenkins:*:*
- cpe:2.3:a:jenkins-ci:monitoring_plugin:1.48.0:*:*:*:*:cloudbees_jenkins:*:*
- cpe:2.3:a:jenkins-ci:monitoring_plugin:1.49.0:*:*:*:*:cloudbees_jenkins:*:*
- cpe:2.3:a:jenkins-ci:monitoring_plugin:1.50.0:*:*:*:*:cloudbees_jenkins:*:*
- cpe:2.3:a:jenkins-ci:monitoring_plugin:1.51.0:*:*:*:*:cloudbees_jenkins:*:*
- cpe:2.3:a:jenkins-ci:monitoring_plugin:1.52.0:*:*:*:*:cloudbees_jenkins:*:*
- cpe:2.3:a:jenkins-ci:monitoring_plugin:*:*:*:*:*:cloudbees_jenkins:*:*range: <=1.52.1
Patches
1f0f6aeef2032[FIXED SECURITY-113]
1 file changed · +12 −1
src/main/java/org/jvnet/hudson/plugins/monitoring/HudsonMonitoringFilter.java+12 −1 modified@@ -19,6 +19,7 @@ package org.jvnet.hudson.plugins.monitoring; import java.io.IOException; +import java.util.Enumeration; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; @@ -69,9 +70,19 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha final String monitoringUrl = getMonitoringUrl(httpRequest); final String monitoringSlavesUrl = monitoringUrl + "/nodes"; if (!PLUGIN_AUTHENTICATION_DISABLED - && (requestURI.equals(monitoringUrl) || requestURI.equals(monitoringSlavesUrl))) { + && (requestURI.equals(monitoringUrl) || requestURI.startsWith(monitoringSlavesUrl))) { // only the Hudson/Jenkins administrator can view the monitoring report Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER); + Enumeration<?> parameterNames = request.getParameterNames(); + while (parameterNames.hasMoreElements()) { + String parameterName = (String) parameterNames.nextElement(); + for (String value : request.getParameterValues(parameterName)) { + if (value.indexOf('"') != -1 || value.indexOf('\'') != -1 || value.indexOf('<') != -1 || value.indexOf('&') != -1) { + ((HttpServletResponse) response).sendError(HttpServletResponse.SC_BAD_REQUEST); + return; + } + } + } } if (requestURI.startsWith(monitoringSlavesUrl)) {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-ghjw-fc9q-jj8cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2014-3678ghsaADVISORY
- access.redhat.com/errata/RHBA-2014:1630ghsaWEB
- access.redhat.com/security/cve/CVE-2014-3678ghsaWEB
- bugzilla.redhat.com/show_bug.cgighsaWEB
- github.com/jenkinsci/monitoring-plugin/commit/f0f6aeef2032696c97d4b015dd51fa2b841b0473ghsaWEB
- wiki.jenkins-ci.org/display/JENKINS/MonitoringnvdWEB
- wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-01nvdWEB
- secunia.com/advisories/59122nvd
News mentions
0No linked articles in our index yet.