CVE-2018-1000144 – org.jenkins-ci.plugins:cucumber-living-documentation

Package

Manager: maven
Name: org.jenkins-ci.plugins:cucumber-living-documentation
Vulnerable Version: >=0 <1.1.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00065 pctl0.20442

Details

Jenkins Cucumber Living Documentation Plugin Cross-site Scripting vulnerability A cross site scripting vulnerability exists in Jenkins Cucumber Living Documentation Plugin 1.0.12 and older in CukedoctorBaseAction#doDynamic that disables the Content-Security-Policy protection for archived artifacts and workspace files, allowing attackers able to control the content of these files to attack Jenkins users. This has been addressed in version 1.1.0 of the plugin, and it will now request that users change the Content-Security-Policy option in Jenkins.

Metadata

Created: 2022-05-14T03:23:50Z
Modified: 2022-12-12T21:30:54Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-q7jx-r75r-hgj2/GHSA-q7jx-r75r-hgj2.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-q7jx-r75r-hgj2
Finding: F425
Auto approve: 1