5.4

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-2607

GHSA ID

GHSA-42m6-7xff-9v9m

EPSS Score

0.08489%

CWE

CWE-79

Published

5/13/2022

Updated

1/27/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2017-2607

CVE-2017-2607: Improper Neutralization of Input During Web Page Generation in Jenkins

Jenkins before versions 2.44 and 2.32.2 is vulnerable to a persisted cross-site scripting vulnerability in console notes (SECURITY-382). Jenkins allows plugins to annotate build logs, adding new content or changing the presentation of existing content while the build is running. Malicious Jenkins users, or users with SCM access, could configure jobs or modify build scripts such that they print serialized console notes that perform cross-site scripting attacks on Jenkins users viewing the build logs.

(GitHub Advisory)

5.4

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-2607

GHSA ID

GHSA-42m6-7xff-9v9m

EPSS Score

0.08489%

CWE

CWE-79

Published

5/13/2022

Updated

1/27/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.main:jenkins-core	maven	<= 2.32.1	2.32.2
org.jenkins-ci.main:jenkins-core	maven	>= 2.34, <= 2.43	2.44

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper validation of console note serialization. The ConsoleNote.fromString method was responsible for parsing build log annotations without verifying their authenticity. The security fix introduced cryptographic signing (via SECRET.key) to validate console notes, indicating the original implementation lacked this critical security check. This matches the CWE-79 XSS pattern where untrusted input flows directly into web output without proper neutralization.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins ***or* v*rsions *.** *n* *.**.* is vuln*r**l* to * p*rsist** *ross-sit* s*riptin* vuln*r**ility in *onsol* not*s (S**URITY-***). J*nkins *llows plu*ins to *nnot*t* *uil* lo*s, ***in* n*w *ont*nt or ***n*in* t** pr*s*nt*tion o* *xistin* *ont*n

Reasoning

T** vuln*r**ility st*ms *rom improp*r `v*li**tion` o* *onsol* not* s*ri*liz*tion. T** `*onsol*Not*.*romStrin*` m*t*o* w*s r*sponsi*l* *or p*rsin* *uil* lo* *nnot*tions wit*out v*ri*yin* t**ir *ut**nti*ity. T** s**urity *ix intro*u*** *rypto*r*p*i* si

5.4

Basic Information

Concerned about an active attack path?

CVE-2017-2607: Improper Neutralization of Input During Web Page Generation in Jenkins

5.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI