Miggo Logo

CVE-2012-4440: Jenkins Violation Plugin allows Cross-Site Scripting (XSS)

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.8025%
Published
4/23/2022
Updated
3/12/2025
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:violationsmaven< 0.7.110.7.11

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key patterns:

  1. In FileModelProxy.java, the severityColumn method directly appended user-controlled values (violation.getSource() and getSourceDetail()) to HTML output without escaping, as shown in the pre-patch code. The fix added Functions.escape() wrappers.
  2. Multiple Jelly templates lacked the <?jelly escape-by-default='true'?> directive and used unsafe ${} expressions. The patch added escaping directives and replaced some ${} with <j:out> tags with implicit escaping. Both patterns allowed injection of raw HTML/scripts through violation data that wasn't properly sanitized before rendering.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross-sit* S*riptin* (XSS) in J*nkins m*in ***or* *.*** *n* LTS ***or* *.***.* *llows r*mot* *tt**k*rs to inj**t *r*itr*ry w** s*ript or *TML in t** Viol*tions plu*in.

Reasoning

T** vuln*r**ility st*ms *rom two k*y p*tt*rns: *. In *il*Mo**lProxy.j*v*, t** s*v*rity*olumn m*t*o* *ir**tly *pp*n*** us*r-*ontroll** v*lu*s (viol*tion.**tSour**() *n* **tSour****t*il()) to *TML output wit*out *s**pin*, *s s*own in t** pr*-p*t** *o**