Description
A cross site scripting vulnerability exists in Jenkins Cucumber Living Documentation Plugin 1.0.12 and older in CukedoctorBaseAction#doDynamic that disables the Content-Security-Policy protection for archived artifacts and workspace files, allowing attackers able to control the content of these files to attack Jenkins users.
Remediation
References
https://jenkins.io/security/advisory/2018-03-26/#SECURITY-308
Related Vulnerabilities
CVE-2019-17640 Vulnerability in maven package io.vertx:vertx-core
CVE-2023-49674 Vulnerability in maven package io.jenkins.plugins:neuvector-vulnerability-scanner
CVE-2020-17510 Vulnerability in maven package org.apache.shiro:shiro-spring-boot-web-starter
CVE-2023-29526 Vulnerability in maven package org.xwiki.platform:xwiki-platform-rendering-async-api
CVE-2020-17518 Vulnerability in maven package org.apache.flink:flink-runtime_2.11