CVE-2017-1000389

Name of the Vulnerable Software and Affected Versions Jenkins global-build-stats plugin version 1.4 and earlier

Description The issue concerns reflected cross-site scripting and cross-site request forgery vulnerabilities. Some URLs provided by the plugin returned JSON responses containing request parameters with a Content Type of text/html, which could be interpreted as HTML by clients. Furthermore, certain URLs that modify data did not require POST requests, potentially allowing for cross-site request forgery.

Recommendations For Jenkins global-build-stats plugin version 1.4 and earlier, update to a version later than 1.4 to resolve the issue. As a temporary workaround, consider restricting access to the plugin's URLs that modify data to minimize the risk of cross-site request forgery, and ensure that clients properly handle JSON responses to prevent reflected cross-site scripting.