CVE-2018-1999007

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.132 and earlier Jenkins versions 2.121.1 and earlier

Description A cross-site scripting issue exists in the Stapler web framework's org/kohsuke/stapler/Stapler.java, allowing attackers who can control certain URLs in Jenkins to define JavaScript that would be executed in another user's browser when that user views HTTP 404 error pages while Stapler debug mode is enabled.

Recommendations For Jenkins versions 2.132 and earlier, update to a version later than 2.132 to resolve the issue. For Jenkins versions 2.121.1 and earlier, update to a version later than 2.121.1 to resolve the issue. As a temporary workaround, consider disabling Stapler debug mode until a patch is available.