Miggo Logo
Miggo Vulnerability Database
CVE-2014-2065

CVE-2014-2065: Jenkins cross-site scripting (XSS) vulnerability

4.3

CVSS Score

Basic Information

CVE ID
CVE-2014-2065
GHSA ID
GHSA-fxj8-cqcp-3vgq
EPSS Score
0.30359%
CWE
CWE-79
Published
5/17/2022
Updated
3/5/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
AV:N/AC:M/Au:N/C:N/I:P/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.main:jenkins-coremaven>= 1.533, < 1.5511.551
org.jenkins-ci.main:jenkins-coremaven< 1.532.21.532.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from unvalidated handling of the 'iconSize' cookie. Key evidence includes:

  1. The View.java initialization block directly used getCookie() without validation (fixed by wrapping with validateIconSize)
  2. Jenkins.java's doIconSize endpoint accepted arbitrary query strings for cookie values (fixed by adding validation)
  3. The getCookie() function itself wasn't inherently vulnerable but was dangerously used without validation in multiple contexts. The high confidence entries represent direct injection points, while getCookie() gets medium confidence as it was a validation-lacking enabler.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross-sit* s*riptin* (XSS) vuln*r**ility in J*nkins ***or* *.*** *n* LTS ***or* *.***.* *llows r*mot* *tt**k*rs to inj**t *r*itr*ry w** s*ript or *TML vi* t** i*onSiz* *ooki*.

Reasoning

T** vuln*r**ility st*mm** *rom unv*li**t** **n*lin* o* t** 'i*onSiz*' *ooki*. K*y *vi**n** in*lu**s: *. T** Vi*w.j*v* initi*liz*tion *lo*k *ir**tly us** **t*ooki*() wit*out v*li**tion (*ix** *y wr*ppin* wit* v*li**t*I*onSiz*) *. J*nkins.j*v*'s *oI*on