VYPR
← All advisories
Moderate severityNVD Advisory· Published Jul 23, 2018· Updated Aug 5, 2024

CVE-2018-1999007

CVE-2018-1999007

Description

Jenkins 2.132 and earlier, 2.121.1 and earlier are vulnerable to stored XSS in 404 error pages when Stapler debug mode is enabled, allowing attackers to execute JavaScript in victims' browsers.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins 2.132 and earlier, 2.121.1 and earlier are vulnerable to stored XSS in 404 error pages when Stapler debug mode is enabled, allowing attackers to execute JavaScript in victims' browsers.

Vulnerability

Jenkins core versions 2.132 and earlier, and 2.121.1 and earlier, contain a cross-site scripting (XSS) vulnerability in the Stapler web framework's org/kohsuke/stapler/Stapler.java file [1]. When Stapler debug mode is enabled, the framework generates HTTP 404 error pages that include user-controlled data without proper escaping. The commit at [3] shows that the fix adds escape() calls around node.toString() in the error page output, confirming the lack of escaping prior to the patch. The vulnerability allows an attacker who can control the existence of certain URLs in Jenkins to inject JavaScript into the error page content.

Exploitation

An attacker must be able to control whether a particular URL exists within Jenkins (for example, by creating or deleting resources that affect URL routing). The target user must have Stapler debug mode enabled and must view a 404 error page triggered by that URL. When the user accesses a URL that the attacker has made non-existent, the error page renders the attacker-controlled path or object name without sanitization, executing the injected JavaScript in the user's browser session [1][2]. No authentication or special network position is required beyond the ability to influence URL existence.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session on the Jenkins instance. This can lead to theft of session cookies, unauthorized actions performed on behalf of the victim, or disclosure of sensitive information visible within Jenkins. The attack requires the debug mode to be enabled, which limits the scope of affected instances, but when enabled, the impact can include full compromise of the victim's Jenkins session [1][2].

Mitigation

Jenkins released security advisory on 2018-07-18 addressing this issue [2]. The fix is included in Jenkins 2.133 (weekly release) and 2.121.2 (LTS release). Users should upgrade to these or later versions. The mitigation involves properly escaping output in error pages, as shown in the commit to the Stapler framework [3]. For instances where upgrade is not immediately possible, disabling Stapler debug mode prevents the vulnerability from being exploited. There is no indication that this CVE is listed in CISA's Known Exploited Vulnerabilities catalog.

References
  1. NVD - CVE-2018-1999007
  2. Jenkins Security Advisory 2018-07-18
  3. [SECURITY-390] · jenkinsci/stapler@03e221a

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.jenkins-ci.main:jenkins-coreMaven
< 2.121.22.121.2
org.jenkins-ci.main:jenkins-coreMaven
>= 2.122, < 2.1322.132
org.kohsuke.stapler:stapler-parentMaven
< 1.250.11.250.1

Affected products

2

Patches

1
03e221a81e84

[SECURITY-390]

https://github.com/jenkinsci/staplerJesse GlickJun 19, 2018via ghsa
commit
2 files changed · +62 2
  • core/src/main/java/org/kohsuke/stapler/Stapler.java+2 2 modified
    @@ -877,9 +877,9 @@ void invoke(RequestImpl req, ResponseImpl rsp, Object node ) throws IOException,
             w.println("<p>Stapler processed this HTTP request as follows, but couldn't find the resource to consume the request");
             w.println("<pre>");
             EvaluationTrace.get(req).printHtml(w);
-            w.printf("<font color=red>-&gt; No matching rule was found on &lt;%s&gt; for \"%s\"</font>\n",node,req.tokens.assembleOriginalRestOfPath());
+            w.printf("<font color=red>-&gt; No matching rule was found on &lt;%s&gt; for \"%s\"</font>\n", escape(node.toString()), req.tokens.assembleOriginalRestOfPath());
             w.println("</pre>");
-            w.printf("<p>&lt;%s&gt; has the following URL mappings, in the order of preference:",node);
+            w.printf("<p>&lt;%s&gt; has the following URL mappings, in the order of preference:", escape(node.toString()));
             w.println("<ol>");
             MetaClass metaClass = webApp.getMetaClass(node);
             for (Dispatcher d : metaClass.dispatchers) {
  • core/src/test/java/org/kohsuke/stapler/Stapler2Test.java+60 0 added
    @@ -0,0 +1,60 @@
+/*
+ * Copyright (c) 2017, CloudBees, Inc
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * * Redistributions of source code must retain the above copyright notice, this
+ *   list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright notice,
+ *   this list of conditions and the following disclaimer in the documentation
+ *   and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package org.kohsuke.stapler;
+
+import com.gargoylesoftware.htmlunit.WebClient;
+import com.gargoylesoftware.htmlunit.WebResponse;
+import java.net.URL;
+import javax.servlet.http.HttpServletResponse;
+import org.jvnet.hudson.test.For;
+import org.jvnet.hudson.test.Issue;
+import org.kohsuke.stapler.test.JettyTestCase;
+
+@For(Stapler.class) // but StaplerTest is not a JettyTestCase
+public class Stapler2Test extends JettyTestCase {
+
+    @Issue("SECURITY-390")
+    public void testTraceXSS() throws Exception {
+        WebClient wc = new WebClient();
+        wc.setThrowExceptionOnFailingStatusCode(false);
+        WebResponse rsp;
+        Dispatcher.TRACE = true;
+        try {
+            rsp = wc.getPage(new URL(this.url, "thing/<button>/x")).getWebResponse();
+        } finally {
+            Dispatcher.TRACE = false;
+        }
+        assertEquals(HttpServletResponse.SC_NOT_FOUND, rsp.getStatusCode());
+        String html = rsp.getContentAsString();
+        assertTrue(html, html.contains("&lt;button&gt;"));
+        assertFalse(html, html.contains("<button>"));
+    }
+    public Object getThing(String name) {
+        return name;
+    }
+
+}

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.