CVE-2018-1000426

Name of the Vulnerable Software and Affected Versions Jenkins Git Changelog Plugin versions 2.6 and earlier

Description A cross-site scripting issue exists that allows attackers to control the Git history parsed by the plugin, enabling them to have Jenkins render arbitrary HTML on some pages. This occurs in files such as GitChangelogSummaryDecorator/summary.jelly, GitChangelogLeftsideBuildDecorator/badge.jelly, GitLogJiraFilterPostPublisher/config.jelly, and GitLogBasicChangelogPostPublisher/config.jelly.

Recommendations For Jenkins Git Changelog Plugin versions 2.6 and earlier, consider disabling the plugin until a patch is available to prevent exploitation. Restrict access to the plugin's functionality to minimize the risk of arbitrary HTML rendering. Avoid using the plugin to parse untrusted Git history until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.