CVE-2018-1000415

Name of the Vulnerable Software and Affected Versions Jenkins Rebuilder Plugin versions 1.28 and earlier

Description A cross-site scripting issue exists in the Jenkins Rebuilder Plugin that allows users with Job/Configuration permission to insert arbitrary HTML into rebuild forms. This issue is present in multiple RebuildAction files, including RebuildAction/BooleanParameterValue.jelly, RebuildAction/ExtendedChoiceParameterValue.jelly, RebuildAction/FileParameterValue.jelly, RebuildAction/LabelParameterValue.jelly, RebuildAction/ListSubversionTagsParameterValue.jelly, RebuildAction/MavenMetadataParameterValue.jelly, RebuildAction/NodeParameterValue.jelly, RebuildAction/PasswordParameterValue.jelly, RebuildAction/RandomStringParameterValue.jelly, RebuildAction/RunParameterValue.jelly, RebuildAction/StringParameterValue.jelly, RebuildAction/TextParameterValue.jelly, and RebuildAction/ValidatingStringParameterValue.jelly.

Recommendations As a temporary workaround, consider disabling the rebuild functionality in the Jenkins Rebuilder Plugin until a patch is available. Restrict access to the rebuild forms to minimize the risk of exploitation. Avoid using the rebuild functionality with untrusted input until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.