CVE-2018-1000415

Description

A cross-site scripting vulnerability exists in Jenkins Rebuilder Plugin 1.28 and earlier in ``` RebuildAction/BooleanParameterValue.jelly, RebuildAction/ExtendedChoiceParameterValue.jelly, RebuildAction/FileParameterValue.jelly, RebuildAction/LabelParameterValue.jelly, RebuildAction/ListSubversionTagsParameterValue.jelly, RebuildAction/MavenMetadataParameterValue.jelly, RebuildAction/NodeParameterValue.jelly, RebuildAction/PasswordParameterValue.jelly, RebuildAction/RandomStringParameterValue.jelly, RebuildAction/RunParameterValue.jelly, RebuildAction/StringParameterValue.jelly, RebuildAction/TextParameterValue.jelly, RebuildAction/ValidatingStringParameterValue.jelly ``` that allows users with Job/Configuration permission to insert arbitrary HTML into rebuild forms.

How to fix CVE-2018-1000415

To remediate CVE-2018-1000415, upgrade the affected package to a fixed version below.

• —upgrade to 1.29 or later

Is CVE-2018-1000415 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 1.29

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-1000415
• WEBgithub.com/jenkinsci/rebuild-plugin/commit/3a4ca33a45fa048c9ab7b7082f87e72c0df848cb
• WEBjenkins.io/security/advisory/2018-09-25/#SECURITY-130
• WEBwww.securityfocus.com/bid/106532