GSA_kwCzR0hTQS05amN2LXY0anAtdzNjcc4AATfy

Moderate EPSS: 0.00139% (0.3466 Percentile) EPSS:

Permalink JSON

Cross-site Scripting in Jenkins Core

Affected Packages	Affected Versions	Fixed Versions
maven:org.jenkins-ci.main:jenkins-core	<= 2.107.1, >= 2.108, <= 2.115	2.107.2, 2.116

A cross-site scripting vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in confirmationList.jelly and stopButton.jelly that allows attackers with Job/Configure and/or Job/Create permission to create an item name containing JavaScript that would be executed in another user's browser when that other user performs some UI actions.

References:

https://nvd.nist.gov/vuln/detail/CVE-2018-1000170
https://jenkins.io/security/advisory/2018-04-11/#SECURITY-759
https://github.com/jenkinsci/jenkins/commit/07d18cfd6d336a2b7cc0a78e120d9739a5d4e1d1
https://github.com/advisories/GHSA-9jcv-v4jp-w3cq

Identifiers

GHSA-9jcv-v4jp-w3cq

CVE-2018-1000170

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.00139

EPSS Percentile: 0.3466

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/jenkinsci/jenkins

Date and time

Published

over 3 years ago

Updated

over 1 year ago

API

JSON

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories