CVE-2024-28149: Jenkins HTML Publisher Plugin does not properly sanitize input

March 6, 2024 (updated December 6, 2024)

Jenkins HTML Publisher Plugin 1.16 through 1.32 (both inclusive) does not properly sanitize input, allowing attackers with Item/Configure permission to implement cross-site scripting (XSS) attacks and to determine whether a path on the Jenkins controller file system exists.

References

github.com/advisories/GHSA-8vcg-v7g4-3vr7
github.com/jenkinsci/htmlpublisher-plugin
github.com/jenkinsci/htmlpublisher-plugin/commit/8bf2e2297a86ad50f7567fb953b2f8ec18b2891b
nvd.nist.gov/vuln/detail/CVE-2024-28149
www.jenkins.io/security/advisory/2024-03-06/

Code Behaviors & Features

Detect and mitigate CVE-2024-28149 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →