CVE-2018-1999029

Name of the Vulnerable Software and Affected Versions Jenkins Shelve Project Plugin versions 1.5 and earlier

Description A cross-site scripting issue exists that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other user performs some UI actions. This issue is related to the ShelveProjectAction/index.jelly and ShelvedProjectsAction/index.jelly files.

Recommendations For Jenkins Shelve Project Plugin versions 1.5 and earlier, consider restricting access to the ShelveProjectAction/index.jelly and ShelvedProjectsAction/index.jelly files until a patch is available. As a temporary workaround, limit the Job/Configure permission to trusted users to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.