Moderate severityNVD Advisory· Published Jan 26, 2018· Updated Aug 5, 2024

CVE-2017-1000392

Description

Jenkins autocompletion suggestions were not escaped, allowing persistent XSS via specially crafted suggestion text in affected versions.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins autocompletion suggestions were not escaped, allowing persistent XSS via specially crafted suggestion text in affected versions.

Vulnerability

Jenkins 2.88 and earlier, and LTS 2.73.2 and earlier, contain a persistent cross-site scripting vulnerability in the autocompletion functionality for text fields. The suggestions were not escaped, allowing injection of HTML metacharacters [1]. Known sources for these suggestions include logger names in log recorder conditions and agent labels [4].

Exploitation

An attacker can inject malicious HTML or JavaScript by manipulating the source of autocompletion suggestions (e.g., by creating a logger or agent with a specially crafted name). When another user interacts with a text field that uses autocomplete, the injected script executes in their browser [4].

Impact

Successful exploitation allows arbitrary JavaScript execution in the context of the Jenkins user interface, potentially leading to session hijacking, credential theft, or actions performed on behalf of the victim.

Mitigation

The vulnerability is fixed in Jenkins weekly 2.89 and LTS 2.73.3 [4]. Users should upgrade to these versions or later. There are no known workarounds for unpatched versions.

References

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.main:jenkins-coreMaven	< 2.73.3	2.73.3
org.jenkins-ci.main:jenkins-coreMaven	>= 2.74, < 2.89	2.89

Affected products

ghsa-coords
pkg:maven/org.jenkins-ci.main/jenkins-core
Range: < 2.73.3

Patches

f67068170b55

[SECURITY-641] Escape autocompletion suggestions

https://github.com/jenkinsci/jenkinsDaniel BeckOct 24, 2017via ghsa

commit

1 file changed · +1 −0

war/src/main/webapp/scripts/hudson-behavior.js+1 −0 modified

@@ -712,6 +712,7 @@ var jenkinsRules = {
         };
         ac.prehighlightClassName = "yui-ac-prehighlight";
         ac.animSpeed = 0;
+        ac.formatResult = ac.formatEscapedResult;
         ac.useShadow = true;
         ac.autoSnapContainer = true;
         ac.delimChar = e.getAttribute("autoCompleteDelimChar");

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-5ppx-rgw2-xg23ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2017-1000392ghsaADVISORY
www.securityfocus.com/bid/101773ghsavdb-entryx_refsource_BIDWEB
www.securityfocus.com/bid/102826ghsavdb-entryx_refsource_BIDWEB
github.com/jenkinsci/jenkins/commit/f67068170b55633571e5462e52b6124b23d7cb84ghsaWEB
jenkins.io/security/advisory/2017-11-08ghsaWEB
jenkins.io/security/advisory/2017-11-08/mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000