CVE-2017-2601: Cross-site Scripting

May 10, 2018 (updated October 9, 2019)

Jenkins is vulnerable to a persisted cross-site scripting in parameter names and descriptions. Users with the permission to configure jobs were able to inject JavaScript into parameter names and descriptions.

References

www.securityfocus.com/bid/95960
bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2601
jenkins.io/security/advisory/2017-02-01/
nvd.nist.gov/vuln/detail/CVE-2017-2601

Detect and mitigate CVE-2017-2601 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →