CVE-2017-2607

Vulnerability

Jenkins versions before 2.44 and 2.32.2 are vulnerable to a persisted cross-site scripting (XSS) vulnerability in console notes (SECURITY-382). Jenkins allows plugins to annotate build logs, adding new content or modifying presentation while the build runs. The vulnerability exists because console notes were not signed, allowing malicious users to inject serialized console notes that are rendered unsafely [1][3].

Exploitation

An attacker must have either job configuration permissions or SCM access to a Jenkins job. They can modify build scripts or job configurations to output specially crafted serialized console notes. When other Jenkins users view the build logs, the malicious notes are deserialized and executed in the browser, performing XSS attacks [1][3].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser within the Jenkins application. This can lead to disclosure of sensitive information, session hijacking, or performing actions on behalf of the victim user [1][3].

Mitigation

The fix was released in Jenkins versions 2.44 and 2.32.2 on 2017-02-01. The fix introduces signing of console notes when created; unsafely signed notes are not deserialized. As a workaround, administrators can set the system property hudson.console.ConsoleNote.INSECURE to true to restore the previous unsafe behavior, but this is not recommended [3]. The upstream commit is referenced in [3].