CVE-2017-17383 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17383): Jenkins through 2.93 allows remote authenticated administrators to conduct XSS attacks via a crafted tool name in a job configuration form, as demonstrated by the JDK tool in Jenkins core and the Ant tool in the Ant plugin, aka SECURITY-624. @Maintainers please let us know when tree is clean. Thank you
From the Jenkins advisory it seems that this issue only affects a minority of installations: "This vulnerability can only be exploited by Jenkins administrators, as they’re the only ones able to define tools. In regular Jenkins configurations, administrators are able to run any code and install any plugin. Therefore this vulnerability only really affects installations that don’t grant administrators the Run Scripts, Configure Update Sites, and/or Install Plugins permissions."
Furthermore, upstream won't fix this and that is by design. The following workaround is available. "The Jenkins project has prepared a plugin preventing the configuration of unsafe tool names at https://github.com/jenkinsci-cert/security624. If you’re affected by this issue (i.e. are operating an instance restricting the permissions of administrators) we recommend installing the above plugin. You will need to build this plugin yourself. We are not planning to distribute it on our update sites, as we are unaware of any open source plugins enabling a configuration that would be affected by this vulnerability." My proposal would be to close this security bug.
