Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1xN2p4LXI3NXItaGdqMs4AAW5e
Jenkins Cucumber Living Documentation Plugin Cross-site Scripting vulnerability
A cross site scripting vulnerability exists in Jenkins Cucumber Living Documentation Plugin 1.0.12 and older in CukedoctorBaseAction#doDynamic that disables the Content-Security-Policy protection for archived artifacts and workspace files, allowing attackers able to control the content of these files to attack Jenkins users. This has been addressed in version 1.1.0 of the plugin, and it will now request that users change the Content-Security-Policy option in Jenkins.
Permalink: https://github.com/advisories/GHSA-q7jx-r75r-hgj2JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xN2p4LXI3NXItaGdqMs4AAW5e
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 1 year ago
Updated: 4 months ago
CVSS Score: 6.1
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-q7jx-r75r-hgj2, CVE-2018-1000144
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-1000144
- https://jenkins.io/security/advisory/2018-03-26/#SECURITY-308
- https://github.com/advisories/GHSA-q7jx-r75r-hgj2
Affected Packages
maven:org.jenkins-ci.plugins:cucumber-living-documentation
Versions: <= 1.0.12Fixed in: 1.1.0