WEB APPLICATION VULNERABILITIES SCA (Software Composition Analysis)

CVE-2018-1999007 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

Description

A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers with the ability to control the existence of some URLs in Jenkins to define JavaScript that would be executed in another user's browser when that other user views HTTP 404 error pages while Stapler debug mode is enabled.

Remediation

References

https://jenkins.io/security/advisory/2018-07-18/#SECURITY-390

https://www.oracle.com/security-alerts/cpuapr2022.html

Related Vulnerabilities

CVE-2022-40152 Vulnerability in maven package com.fasterxml.woodstox:woodstox-core

CVE-2022-34177 Vulnerability in maven package org.jenkins-ci.plugins:pipeline-input-step

CVE-2023-43502 Vulnerability in maven package com.sonyericsson.jenkins.plugins.bfa:build-failure-analyzer

CVE-2020-7650 Vulnerability in npm package snyk-broker

CVE-2021-26117 Vulnerability in maven package org.apache.activemq:activemq-jaas

Severity

Medium

Classification

CWE-79 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Vendor Advisory Patch Third Party Advisory