PT-2018-5186 · Jenkins · Jenkins Delivery Pipeline Plugin+1

Viktor Gazdag

Published

2018-01-26

Updated

2022-05-14

CVE-2017-1000404

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Jenkins Delivery Pipeline Plugin versions 1.0.7 and earlier

Description The issue arises from the unescaped content of the query parameter fullscreen in the plugin's JavaScript, leading to a cross-site scripting vulnerability through specially crafted URLs.

Recommendations For Jenkins Delivery Pipeline Plugin versions 1.0.7 and earlier, update to version 1.0.8 or later, which converts the fullscreen parameter value to a boolean (true/false) and inserts that into the page instead, mitigating the cross-site scripting vulnerability.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2017-1000404

GHSA-G364-C7W5-93WH

Affected Products

Jenkins

Jenkins Delivery Pipeline Plugin

PT-2018-5186 · Jenkins · Jenkins Delivery Pipeline Plugin+1

CVE-2017-1000404

Weakness Enumeration

Related Identifiers

Affected Products

References · 5