PT-2018-15192 · Cloudbees+1 · Jenkins

Published

2018-07-23

Updated

2022-06-13

CVE-2018-1999007

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.132 and earlier Jenkins versions 2.121.1 and earlier

Description A cross-site scripting issue exists in the Stapler web framework's org/kohsuke/stapler/Stapler.java, allowing attackers who can control certain URLs in Jenkins to define JavaScript that would be executed in another user's browser when that user views HTTP 404 error pages while Stapler debug mode is enabled.

Recommendations For Jenkins versions 2.132 and earlier, update to a version later than 2.132 to resolve the issue. For Jenkins versions 2.121.1 and earlier, update to a version later than 2.121.1 to resolve the issue. As a temporary workaround, consider disabling Stapler debug mode until a patch is available.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2018-1999007

GHSA-6456-XJM5-G3PG

Affected Products

Jenkins

PT-2018-15192 · Cloudbees+1 · Jenkins

CVE-2018-1999007

Weakness Enumeration

Related Identifiers

Affected Products

References · 7