VYPR
← All advisories
Moderate severityOSV Advisory· Published Jan 9, 2019· Updated Aug 5, 2024

CVE-2018-1000407

CVE-2018-1000407

Description

Jenkins 2.145 and earlier, LTS 2.138.1 and earlier have a reflected XSS in the remote API due to unvalidated wrapper query parameter.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins 2.145 and earlier, LTS 2.138.1 and earlier have a reflected XSS in the remote API due to unvalidated wrapper query parameter.

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in Jenkins core versions 2.145 and earlier, including LTS 2.138.1 and earlier [1][2]. The flaw resides in core/src/main/java/hudson/model/Api.java and affects the XML variant of the Jenkins remote API [2][3]. The wrapper query parameter, which specifies a custom XML wrapper tag, was not validated for allowed tag names [2]. An attacker can supply an arbitrary string, including HTML/script content, that Jenkins reflects directly in the response without proper sanitization or escaping [1][2].

Exploitation

An attacker only needs to craft a malicious URL that includes an invalid wrapper parameter containing attacker-controlled HTML. No authentication or special privileges are required [1]. The victim must be tricked into clicking the crafted link or visiting a page that loads the URL (e.g., via phishing or embedding). When the Jenkins server responds, the attacker-supplied HTML/script is rendered in the victim's browser within the context of the Jenkins origin [2].

Impact

Successful exploitation allows an attacker to execute arbitrary HTML and JavaScript in the victim's browser, potentially leading to session hijacking, credential theft, or other actions performed in the context of the victim's Jenkins session [1][2]. The attack is reflected XSS, meaning the malicious payload is not stored on the server but delivered through the crafted URL.

Mitigation

The vulnerability was fixed in Jenkins 2.146 and LTS 2.138.2, released on 2018-10-10 [2]. The fix validates that the wrapper parameter contains only legal XML tag names, rejecting invalid values with a 400 Bad Request response [3]. Users should upgrade to Jenkins 2.146 or newer, or LTS 2.138.2 or newer. There is no workaround short of upgrading, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of this writing.

References
  1. NVD - CVE-2018-1000407
  2. Jenkins Security Advisory 2018-10-10
  3. [SECURITY-1129] · jenkinsci/jenkins@df87e12

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.jenkins-ci.main:jenkins-coreMaven
< 2.138.22.138.2
org.jenkins-ci.main:jenkins-coreMaven
>= 2.140, < 2.1462.146

Affected products

2

Patches

1
df87e12ddcfe

[SECURITY-1129]

https://github.com/jenkinsci/jenkinsRamon LeonSep 27, 2018via ghsa
commit
5 files changed · +102 0
  • core/src/main/java/hudson/model/Api.java+12 0 modified
    @@ -133,7 +133,19 @@ public void doXml(StaplerRequest req, StaplerResponse rsp,
                 XPath comp = dom.createXPath(xpath);
                 comp.setFunctionContext(functionContext);
                 List list = comp.selectNodes(dom);
+
                 if (wrapper!=null) {
+                    // check if the wrapper is a valid entity name
+                    // First position:  letter or underscore
+                    // Other positions: \w (letter, number, underscore), dash or dot
+                    String validNameRE = "^[a-zA-Z_][\\w-\\.]*$";
+
+                    if(!wrapper.matches(validNameRE)) {
+                        rsp.setStatus(HttpServletResponse.SC_BAD_REQUEST);
+                        rsp.getWriter().print(Messages.Api_WrapperParamInvalid());
+                        return;
+                    }
+
                     Element root = DocumentFactory.getInstance().createElement(wrapper);
                     for (Object o : list) {
                         if (o instanceof String) {
  • core/src/main/resources/hudson/model/Messages_es.properties+1 0 modified
    @@ -47,6 +47,7 @@ AbstractProject.ExtendedReadPermission.Description=\
 Api.MultipleMatch=XPath "{0}" encontr\u00f3 coincidencias en {1} nodos. \
   Crea una expresi\u00f3n XPath que s\u00f3lo encuentre uno, o utiliza el par\u00e1metro "wraper" para que todos los nodos se agrupen bajo un elemento.
 Api.NoXPathMatch=XPath {0} no encontr\u00f3 nada 
+Api.WrapperParamInvalid=El par\u00E1metro wrapper s\u00F3lo puede contener caracteres alfanum\u00E9ricos o guiones/puntos/subrayado. El primer car\u00E1cter debe ser una letra o subrayado.
 
 BallColor.Aborted=Abortado
 BallColor.Disabled=Desactivado
  • core/src/main/resources/hudson/model/Messages_fr.properties+2 0 modified
    @@ -41,6 +41,7 @@ AbstractProject.WorkspacePermission.Description=\
 Api.MultipleMatch=Le XPath "{0}" correspond \u00e0 {1} noeud(s). \
     Merci de fournir un XPath qui ne correspond qu''\u00e0 un seul noeud, ou utilisez le param\u00e8tre de requ\u00e8te "wrapper" pour les encapsuler tous dans un \u00e9l\u00e9ment racine.
 Api.NoXPathMatch=Pas de correspondance avec le XPath {0}
+Api.WrapperParamInvalid=Le param\u00E8tre wrapper ne doit contenir que des caract\u00E8res alphanum\u00E9riques ainsi que des points / tirets bas / traits d''union, et finalement le premier caract\u00E8re doit \u00EAtre une lettre ou un trait d''union.
 
 BallColor.Aborted=Annul\u00e9
 BallColor.Disabled=D\u00e9sactiv\u00e9
@@ -178,3 +179,4 @@ MyViewsProperty.GlobalAction.DisplayName=Mes vues
 
 ManageJenkinsAction.DisplayName=Administrer Jenkins
 ParametersDefinitionProperty.DisplayName=Ce build a des param�tres
+
  • core/src/main/resources/hudson/model/Messages.properties+1 0 modified
    @@ -84,6 +84,7 @@ AbstractProject.LabelLink=<a href="{0}{2}">Label {1}</a> is serviced by {3,choic
 Api.MultipleMatch=XPath "{0}" matched {1} nodes. \
     Create XPath that only matches one, or use the "wrapper" query parameter to wrap them all under a root element.
 Api.NoXPathMatch=XPath {0} didn\u2019t match
+Api.WrapperParamInvalid=The wrapper parameter can only contain alphanumeric characters or dash/dot/underscore. The first character has to be a letter or underscore.
 
 BallColor.Aborted=Aborted
 BallColor.Disabled=Disabled
  • test/src/test/java/hudson/model/ApiSecurity1129Test.java+86 0 added
    @@ -0,0 +1,86 @@
+package hudson.model;
+
+import com.gargoylesoftware.htmlunit.WebResponse;
+import org.junit.Rule;
+import org.junit.Test;
+import org.jvnet.hudson.test.Issue;
+import org.jvnet.hudson.test.JenkinsRule;
+import org.xml.sax.SAXException;
+
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+//TODO after the security fix, it could be merged inside ApiTest
+public class ApiSecurity1129Test {
+    @Rule
+    public JenkinsRule j = new JenkinsRule();
+
+    /**
+     * Test the wrapper parameter for the api/xml urls to avoid XSS.
+     * @throws Exception See {@link #checkWrapperParam(String, Integer, String)}
+     */
+    @Issue("SECURITY-1129")
+    @Test
+    public void wrapperXss() throws Exception {
+        String wrapper = "html%20xmlns=\"http://www.w3.org/1999/xhtml\"><script>alert(%27XSS%20Detected%27)</script></html><!--";
+
+        checkWrapperParam(wrapper, HttpServletResponse.SC_BAD_REQUEST, Messages.Api_WrapperParamInvalid());
+    }
+
+    /**
+     * Test the wrapper parameter for the api/xml urls with a bad name.
+     * @throws Exception See {@link #checkWrapperParam(String, Integer, String)}
+     */
+    @Issue("SECURITY-1129")
+    @Test
+    public void wrapperBadName() throws Exception {
+        String wrapper = "-badname";
+        checkWrapperParam(wrapper, HttpServletResponse.SC_BAD_REQUEST, Messages.Api_WrapperParamInvalid());
+
+    }
+
+    /**
+     * Test thw erapper parameter with a good name, to ensure the security fix doesn't break anything.
+     * @throws Exception See {@link #checkWrapperParam(String, Integer, String)}
+     */
+    @Issue("SECURITY-1129")
+    @Test
+    public void wrapperGoodName() throws Exception {
+        String wrapper = "__GoodName-..-OK";
+        checkWrapperParam(wrapper, HttpServletResponse.SC_OK, null);
+
+    }
+
+    /**
+     * Check the response for a XML api with the wrapper param specified. At least the statuCode or the responseMessage
+     * should be indicated.
+     * @param wrapper the wrapper param passed in theurl.
+     * @param statusCode the status code expected in the response. If it's null, it's not checked.
+     * @param responseMessage the message expected in the response. If it's null, it's not checked.
+     * @throws IOException See {@link org.jvnet.hudson.test.JenkinsRule.WebClient#goTo(String, String)}
+     * @throws SAXException See {@link org.jvnet.hudson.test.JenkinsRule.WebClient#goTo(String, String)}
+     */
+    private void checkWrapperParam(String wrapper, Integer statusCode, String responseMessage) throws IOException, SAXException {
+        if (statusCode == null && responseMessage == null) {
+            fail("You should check at least one, the statusCode or the responseMessage when testing the wrapper param");
+        }
+
+        JenkinsRule.WebClient wc = j.createWebClient();
+        wc.getOptions().setThrowExceptionOnFailingStatusCode(false);
+        WebResponse response = wc.goTo(String.format("whoAmI/api/xml?xpath=*&wrapper=%s", wrapper), null).getWebResponse();
+
+        if (response != null) {
+            if (statusCode != null) {
+                assertEquals(statusCode.intValue(), response.getStatusCode());
+            }
+            if (responseMessage != null) {
+                assertEquals(responseMessage, response.getContentAsString());
+            }
+        } else {
+            fail("The response shouldn't be null");
+        }
+    }
+}

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.