PT-2019-8726 · Jenkins · Jenkins Rebuilder Plugin

Daniel Beck

Publicado

2019-01-09

Atualizado

2022-05-14

CVE-2018-1000415

CVSS v3.1

5.4

Média

Vetor

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Jenkins Rebuilder Plugin versions 1.28 and earlier

Description A cross-site scripting issue exists in the Jenkins Rebuilder Plugin that allows users with Job/Configuration permission to insert arbitrary HTML into rebuild forms. This issue is present in multiple RebuildAction files, including RebuildAction/BooleanParameterValue.jelly, RebuildAction/ExtendedChoiceParameterValue.jelly, RebuildAction/FileParameterValue.jelly, RebuildAction/LabelParameterValue.jelly, RebuildAction/ListSubversionTagsParameterValue.jelly, RebuildAction/MavenMetadataParameterValue.jelly, RebuildAction/NodeParameterValue.jelly, RebuildAction/PasswordParameterValue.jelly, RebuildAction/RandomStringParameterValue.jelly, RebuildAction/RunParameterValue.jelly, RebuildAction/StringParameterValue.jelly, RebuildAction/TextParameterValue.jelly, and RebuildAction/ValidatingStringParameterValue.jelly.

Recommendations As a temporary workaround, consider disabling the rebuild functionality in the Jenkins Rebuilder Plugin until a patch is available. Restrict access to the rebuild forms to minimize the risk of exploitation. Avoid using the rebuild functionality with untrusted input until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

XSS

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-79

Identificadores relacionados

CVE-2018-1000415

GHSA-7M8V-W6F9-Q2F9

Produtos afetados

Jenkins Rebuilder Plugin

PT-2019-8726 · Jenkins · Jenkins Rebuilder Plugin

CVE-2018-1000415

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 6