CVE-2017-2610
Description
Jenkins before 2.44 and 2.32.2 had a persisted XSS in search suggestions via unescaped < > characters in user names.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins before 2.44 and 2.32.2 had a persisted XSS in search suggestions via unescaped < > characters in user names.
Vulnerability
A persisted cross-site scripting (XSS) vulnerability exists in Jenkins search suggestions. User names containing less-than (<) and greater-than (>) characters were not properly escaped when displayed in the autocomplete dropdown. This affects Jenkins versions before 2.44 and 2.32.2. [1][3]
Exploitation
An attacker who can create a user account or already has one can set their username to include malicious HTML/JavaScript, such as ``. When other users type in the search box, the autocomplete suggestions include the attacker's username, causing the script to execute in the victim's browser session. No additional interaction beyond typing is required. [1][3]
Impact
Successful exploitation allows arbitrary JavaScript execution in the victim's browser. This can lead to information theft, session hijacking, or actions performed on behalf of the victim. The attack is persisted because the malicious username remains in the system. [1][3]
Mitigation
The vulnerability is fixed in Jenkins versions 2.44 and 2.32.2. The commit [4] introduces ac.formatResult = ac.formatEscapedResult; to escape metacharacters in the search box. Users should upgrade to at least these versions. No workaround is provided in the references. [1][4]
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.main:jenkins-coreMaven | < 2.32.2 | 2.32.2 |
org.jenkins-ci.main:jenkins-coreMaven | >= 2.34, < 2.44 | 2.44 |
Affected products
1Patches
1307ed31caba6Merge pull request #98 from jenkinsci-cert/SECURITY-388
1 file changed · +1 −0
war/src/main/webapp/scripts/hudson-behavior.js+1 −0 modified@@ -2168,6 +2168,7 @@ function createSearchBox(searchURL) { var ac = new YAHOO.widget.AutoComplete("search-box","search-box-completion",ds); ac.typeAhead = false; ac.autoHighlight = false; + ac.formatResult = ac.formatEscapedResult; var box = $("search-box"); var sizer = $("search-box-sizer");
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-jff5-55xj-4jcqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-2610ghsaADVISORY
- www.securityfocus.com/bid/95951ghsavdb-entryx_refsource_BIDWEB
- bugzilla.redhat.com/show_bug.cgighsax_refsource_CONFIRMWEB
- github.com/jenkinsci/jenkins/commit/307ed31caba68a46426b8c73a787a05add2c7489ghsax_refsource_CONFIRMWEB
- jenkins.io/security/advisory/2017-02-01ghsaWEB
- jenkins.io/security/advisory/2017-02-01/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.