CVE-2016-3101
Description
Cross-site scripting (XSS) vulnerability in the Extra Columns plugin before 1.17 in Jenkins allows remote attackers to inject arbitrary web script or HTML by leveraging failure to filter tool tips through the configured markup formatter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Jenkins Extra Columns plugin before 1.17 allows injection of arbitrary web script or HTML via unescaped tooltips.
Vulnerability
The Jenkins Extra Columns plugin versions up to and including 1.16 contain a stored cross-site scripting (XSS) vulnerability in the description column tooltip rendering. The plugin fails to filter user-supplied tooltip HTML through the configured markup formatter, allowing arbitrary HTML and script injection [1][3]. This affects any Jenkins instance using the Extra Columns plugin with the description column feature enabled.
Exploitation
An attacker with job configuration permissions can inject malicious HTML or JavaScript into the tooltip content of the description column. When a user views the job listing page, the injected code executes in the context of their browser session. The attack requires the ability to set a job description (or similar tooltip field) and the victim to hover over or interact with the corresponding tooltip element [2][3].
Impact
Successful exploitation allows an attacker to execute arbitrary web script or HTML in the victim's browser session, potentially leading to session hijacking, credential theft, unauthorized actions within Jenkins, or defacement of the Jenkins UI. The impact is limited to users who view the malicious content [1][3].
Mitigation
Users should upgrade the Extra Columns plugin to version 1.17, which fixes the vulnerability by passing tooltip content through the app.markupFormatter.translate() method [4]. No workarounds are documented. The fix was included in the Jenkins Security Advisory 2016-04-11 [3]. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:extra-columnsMaven | < 1.17 | 1.17 |
Affected products
3cpe:2.3:a:jenkins:extra_columns:*:*:*:*:*:jenkins:*:*+ 1 more
- cpe:2.3:a:jenkins:extra_columns:*:*:*:*:*:jenkins:*:*range: <1.17
- (no CPE)range: <1.17
Patches
1028ee0b32429[FIXED SECURITY-136]
1 file changed · +1 −1
src/main/resources/jenkins/plugins/extracolumns/DescriptionColumn/column.jelly+1 −1 modified@@ -32,7 +32,7 @@ <j:if test="${it.isDisplayName()}"> <a href="${jobBaseUrl}${job.shortUrl}" class='model-link inside'>${relativeDisplayName != null ? relativeDisplayName : job.displayName}</a><br/> </j:if> - <div tooltip="${tooltipdesc}" style="${it.isForceWidth() ? widthAttribute : null}"> + <div tooltip="${app.markupFormatter.translate(tooltipdesc)}" style="${it.isForceWidth() ? widthAttribute : null}"> <j:out value="${app.markupFormatter.translate(desc)}"/> </div> </td>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.