PT-2018-9316 · Jenkins · Jenkins Cucumber Living Documentation Plugin+1

Daniel Beck

Published

2018-04-05

Updated

2022-05-14

CVE-2018-1000144

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Jenkins Cucumber Living Documentation Plugin versions 1.0.12 and older

Description A cross-site scripting issue exists in the CukedoctorBaseAction#doDynamic function, which disables Content-Security-Policy protection for archived artifacts and workspace files. This allows attackers who can control the content of these files to attack Jenkins users.

Recommendations For Jenkins Cucumber Living Documentation Plugin versions 1.0.12 and older, update to version 1.1.0 or newer, and change the Content-Security-Policy option in Jenkins as requested by the plugin.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2018-1000144

GHSA-Q7JX-R75R-HGJ2

Affected Products

Jenkins

Jenkins Cucumber Living Documentation Plugin

PT-2018-9316 · Jenkins · Jenkins Cucumber Living Documentation Plugin+1

CVE-2018-1000144

Weakness Enumeration

Related Identifiers

Affected Products

References · 5