CVE-2017-1000389

Vulnerability

The Jenkins global-build-stats plugin version 1.4 and earlier returns JSON responses that include request parameters, but sets the Content-Type header to text/html. This causes browsers to interpret the response as HTML, enabling a reflected cross-site scripting (XSS) vulnerability. Additionally, plugin URLs that modify data accept GET requests instead of requiring POST, allowing cross-site request forgery (CSRF) attacks. The affected plugin version range is 1.4 and all earlier releases [1][2].

Exploitation

For reflected XSS, an attacker can craft a malicious URL with JavaScript embedded in a parameter and trick a victim into clicking it; the victim's browser then executes the script because the response Content-Type is text/html. For CSRF, an attacker can host a page that submits a GET request to a data-modifying URL (e.g., form submission) on a Jenkins instance where the victim is authenticated, thereby performing unauthorized state changes without the victim's consent. No special network position is required beyond standard web access [1][2].

Impact

Successful reflected XSS allows an attacker to execute arbitrary JavaScript in the victim's browser session, potentially disclosing session tokens or performing actions on behalf of the victim. Successful CSRF allows an attacker to perform state-changing operations (e.g., modifying build statistics configuration) without the victim's knowledge, leading to data integrity compromise [1][2].

Mitigation

The vulnerability is fixed in global-build-stats plugin version 1.5. The fix ensures JSON responses use the correct Content-Type: application/json and that all state-changing URLs require POST requests, eliminating both the XSS and CSRF vectors. Users should upgrade to version 1.5 or later. No workaround is provided for earlier versions [1][2].