Lucene search

HistoryJan 09, 2014 - 12:00 a.m.

[CVE-2013-5676] Plain Text Password In SonarQube Jenkins Plugin







  1. Advisory Information

Title: Default markup formatter permits offsite-bound forms
Date published : 2013-12-16
Date of last update: 2013-12-16
Vendors contacted : Jenkins CI v 1.523
Discovered by: Christian Catalano
Severity: Low

  1. Vulnerability Information

CVE reference: CVE-2013-5573
CVSS v2 Base Score: 4.7
CVSS v2 Vector : (AV:N/AC:L/Au:M/C:P/I:P/A:N)
Component/s : Jenkins CI v 1.523
Class : HTML Injection

  1. Introduction

Jenkins CI is an extendable open source continuous integration server

  1. Vulnerability Description

The default installation and configuration of Jenkins CI is prone to a
security vulnerability. The Jenkins CI default markup formatter permits
offsite-bound forms. This vulnerability could be exploited by a remote
attacker (a malicious user) to inject malicious persistent HTML script
code (application side).

  1. Technical Description / Proof of Concept Code

The vulnerability is located in the 'Descriotion' input field of the
User Configuration function:


To reproduce the vulnerability, the attacker (a malicious user) can add
the malicious HTML script code:

<form method="POST" action=";&gt;
Username: <input type="text" name="username" size="15" /><br />
Password: <input type="password" name="passwort" size="15" /><br />
<div align="center">
<p><input type="submit" value="Login" /></p>

in the 'Descriotion' input field and click on save button.
The code execution happens when the victim (an unaware user) view the
'People List'


and click on attacker user id.

  1. Business Impact

Exploitation of the persistent web vulnerability requires a low
privilege web application user account.
Successful exploitation of the vulnerability results in persistent
phishing and persistent external redirects.

  1. Systems Affected

This vulnerability was tested against:
Jenkins CI v1.523
Older versions are probably affected too, but they were not checked.

  1. Vendor Information, Solutions and Workarounds

Currently, there are no known upgrades or patches to correct this
vulnerability. It is possible to temporarily mitigate the flaw by
implementing the following workaround:
'MyspacePolicy' permits
tag("form", "action", ONSITE_OR_OFFSITE_URL,

Fix 'MyspacePolicy' by restricting the policy to ONSITE_URL only or
perhaps <form> could be banned entirely.

  1. Credits

This vulnerability has been discovered by:
Christian Catalano aka wastasy ch(dot)catalano(at)gmail(dot)com

  1. Vulnerability History

August 21th, 2013: Vulnerability identification
August 4th, 2013: Vendor notification [Jenkins CI]
November 19th, 2013: Vulnerability confirmation [Jenkins CI]
November 19th, 2013: Vendor Solution
December 16th, 2013: Vulnerability disclosure

  1. Disclaimer

The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or misuse of
this information.
