[R1] Multiple Jenkins Vulnerabilities

While researching Jenkins, Tenable found a couple of vulnerabilities.

SECURITY-1128: Unauthenticated Ephemeral User Creation via /securityRealm/user

Closely related to CVE-2017-2613 (aka SECURITY-406) and CVE-2018-1999043 (aka SECURITY-672), any unauthenticated attacker can visit http://<ip>:<port>/securityRealm/user/any-username/ to create an ephemeral user record for a user of any-username. As noted in the previous security advisories, this could be abused to create a large number of ephemeral user records in memory.

This can also interrupt usage of any API endpoint which includes the user's full name, as it is possible to include bad characters in the ephemeral username. For example: navigating to http://<ip>:<port>/securityRealm/user/%02/ will create a user with a full name containing the %02 (STX) control character, which will cause the XML and JSON API endpoints of /asynchPeople/ to become malformed.

SECURITY-1129: Reflected XSS

It's possible to inject XML (and, via the XHTML XML namespace, HTML/javascript) into any API XML endpoint which has the xpath and wrapper parameters. This is possible on a large number of pages that are behind authentication, but also the whoAmI page which is available to unauthenticated users. A proof of concept follows:

http://<ip>:<port>/whoAmI/api/xml?xpath=*&wrapper=?xml version="1.0"?><html xmlns="http://www.w3.org/1999/xhtml"><script>alert('Tenable Nessus')</script></html><!--