VYPR
← All advisories
Moderate severityNVD Advisory· Published Jul 23, 2018· Updated Aug 5, 2024

CVE-2018-1999005

CVE-2018-1999005

Description

Jenkins 2.132 and earlier, 2.121.1 and earlier contain a stored XSS in BuildTimelineWidget that lets attackers with Job/Configure permission execute JavaScript in other users' browsers.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins 2.132 and earlier, 2.121.1 and earlier contain a stored XSS in BuildTimelineWidget that lets attackers with Job/Configure permission execute JavaScript in other users' browsers.

Vulnerability

A cross-site scripting (XSS) vulnerability exists in Jenkins core versions 2.132 and earlier, and 2.121.1 and earlier, in the BuildTimelineWidget.java and BuildTimelineWidget/control.jelly files. The vulnerability allows attackers with Job/Configure permission to inject malicious JavaScript code via the build display name, which is then executed in another user's browser when that user performs certain UI actions related to the build timeline. [1], [2]

Exploitation

An attacker must have Job/Configure permission on a Jenkins project. The attacker sets a build display name containing crafted JavaScript (e.g., using HTML entities like <script>). When another user views the build timeline widget (e.g., by accessing the build timeline page or performing UI actions that load timeline data), the injected script executes in the victim's browser within the Jenkins context. The exploit does not require the victim to have any special privileges beyond being able to view the timeline. [1], [4]

Impact

Successful exploitation results in execution of arbitrary JavaScript in the victim's browser within the Jenkins application context. This can lead to theft of session cookies, impersonation of the victim user, defacement, or other actions that the victim user could perform. The attacker does not gain direct access to the server but can perform actions on behalf of the victim. [1], [2]

Mitigation

The vulnerability is fixed in Jenkins 2.133 (weekly) and 2.121.2 (LTS), released on 2018-07-18. The fix escapes the build display name using Util.escape and replaces < with < to prevent HTML entity re-parsing. Administrators should upgrade to these versions or later. No workaround is available for earlier versions. [2], [4]

References
  1. NVD - CVE-2018-1999005
  2. Jenkins Security Advisory 2018-07-18
  3. [SECURITY-944] · jenkinsci/jenkins@8697bdf

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.jenkins-ci.main:jenkins-coreMaven
< 2.121.22.121.2
org.jenkins-ci.main:jenkins-coreMaven
>= 2.122, < 2.1322.132

Affected products

1

Patches

1
8697bdff0342

[SECURITY-944]

https://github.com/jenkinsci/jenkinsWadeck FollonierJun 19, 2018via ghsa
commit
2 files changed · +5 2
  • core/src/main/java/hudson/model/BuildTimelineWidget.java+4 1 modified
    @@ -23,6 +23,7 @@
  */
 package hudson.model;
 
+import hudson.Util;
 import hudson.util.RunList;
 import org.kohsuke.stapler.QueryParameter;
 import org.kohsuke.stapler.StaplerRequest;
@@ -64,7 +65,9 @@ public TimelineEventList doData(StaplerRequest req, @QueryParameter long min, @Q
             Event e = new Event();
             e.start = new Date(r.getStartTimeInMillis());
             e.end   = new Date(r.getStartTimeInMillis()+r.getDuration());
-            e.title = r.getFullDisplayName();
+            // due to SimileAjax.HTML.deEntify (in simile-ajax-bundle.js), "&lt;" are transformed back to "<", but not the "&#60";
+            // to protect against XSS
+            e.title = Util.escape(r.getFullDisplayName()).replace("&lt;", "&#60;");
             // what to put in the description?
             // e.description = "Longish description of event "+r.getFullDisplayName();
             // e.durationEvent = true;
  • core/src/main/resources/hudson/model/BuildTimelineWidget/control.jelly+1 1 modified
    @@ -56,7 +56,7 @@ THE SOFTWARE.
               onSuccess: function(t) {
                 if (t.status != 0) {
                   try {
-                    eventSource1.loadJSON(eval('('+t.responseText+')'),'.');
+                    eventSource1.loadJSON(JSON.parse(t.responseText),'.');
                     getData(eventSource1, current-1, min, max);
                   } catch (e) {
                     alert(e);

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.