How to address Cross-Site Scripting (XSS) Vulnerability in Jenkins

Asked Jun 30 '20 at 06:39

Active Jun 30 '20 at 06:39

Viewed 134 times

I'm using standalone latest Jenkins war on my Linux server running on port 9043.

The security-audit team reported "Cross-Site Scripting (XSS)" vulnerability for the below Jenkins URL.

https://myjenkinshost:9043/label/64_Salve/api/python

"64_Salve" happens to be a Jenkins slave node agent I had configured a few years back.

As a proof of concept they have shared the below:

Intercept request using proxy tool and modify the request as shown. When the response is viewed in browser, the file is downloaded as shown.

Then there is a pop-up that prompts for opening-saving "python" file.

Can you please suggest how can I address this vulnerability?

asked Jun 30 '20 at 06:39

Ashar

It would help to know the version of Jenkins you are running (latest is temporal) and contextual), OS involved, the version of the remoting./agent/slave you have, plugins involved, etc. If you do believe this to be a security issue, then it's best to submit a [SECURITY JIRA](https://www.jenkins.io/security/) – Ian W Jun 30 '20 at 08:56
The version of Jenkins master server is 2.234 running on Redhat Linux 7.6 while the slave `64_Salve` is Oracle Linux 7.6 Can you please suggest @Ian W – Ashar Jun 30 '20 at 13:25

0 Answers0