CVE-2018-1000426

Опубликовано: 09 янв. 2019

Источник: nvd

CVSS3: 6.1

CVSS2: 4.3

EPSS Низкий

Описание

A cross-site scripting vulnerability exists in Jenkins Git Changelog Plugin 2.6 and earlier in GitChangelogSummaryDecorator/summary.jelly, GitChangelogLeftsideBuildDecorator/badge.jelly, GitLogJiraFilterPostPublisher/config.jelly, GitLogBasicChangelogPostPublisher/config.jelly that allows attackers able to control the Git history parsed by the plugin to have Jenkins render arbitrary HTML on some pages.

Ссылки

http://www.securityfocus.com/bid/106532
Third Party Advisory
VDB Entry
https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1122
Vendor Advisory
http://www.securityfocus.com/bid/106532
Third Party Advisory
VDB Entry
https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1122
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:jenkins:git_changelog:*:*:*:*:*:jenkins:*:*

Версия до 2.6 (включая)

EPSS

Процентиль: 28%

0.00099

Низкий

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79

Связанные уязвимости

GHSA-jcmg-9rw5-9rm2