CVE-2018-1000413 — Stored XSS vulnerability in Config File Provider Plugin

Description

A cross-site scripting vulnerability exists in Jenkins Config File Provider Plugin 3.1 and earlier in configfiles.jelly, providerlist.jelly that allows users with the ability to configure configuration files to insert arbitrary HTML into some pages in Jenkins.

How to fix CVE-2018-1000413

To remediate CVE-2018-1000413, upgrade the affected package to a fixed version below.

—upgrade to 3.2 or later

Is CVE-2018-1000413 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 3.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-1000413
WEBgithub.com/jenkinsci/config-file-provider-plugin/commit/5c1df554e44b712e5d926b8d5557c592bf9f0a33
WEBjenkins.io/security/advisory/2018-09-25/#SECURITY-1080
WEBwww.securityfocus.com/bid/106532