CVE-2017-1000389: XSS
First published: Fri Jan 26 2018(Updated: )
Some URLs provided by Jenkins global-build-stats plugin version 1.4 and earlier returned a JSON response that contained request parameters. These responses had the Content Type: text/html, so could have been interpreted as HTML by clients, resulting in a potential reflected cross-site scripting vulnerability. Additionally, some URLs provided by global-build-stats plugin that modify data did not require POST requests to be sent, resulting in a potential cross-site request forgery vulnerability.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Jenkins Global-build-stats | <=1.4 | |
| maven/org.jenkins-ci.plugins:global-build-stats | <=1.4 | 1.5 |
| <=1.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-gw8g-hh47-q4gw
- alias/CVE-2017-1000389
- agent/software-canonical-lookup
- agent/severity
- agent/references
- agent/weakness
- agent/last-modified-date
- agent/description
- agent/author
- agent/softwarecombine
- agent/event
- collector/nvd-cve
- source/NVD
- collector/github-advisory
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/jenkins
- canonical/jenkins global-build-stats
- version/jenkins global-build-stats/1.4
- package-manager/maven