CVE-2018-1999007: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

May 13, 2022 (updated December 20, 2023)

A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework’s org/kohsuke/stapler/Stapler.java that allows attackers with the ability to control the existence of some URLs in Jenkins to define JavaScript that would be executed in another user’s browser when that other user views HTTP 404 error pages while Stapler debug mode is enabled.

References

github.com/advisories/GHSA-6456-xjm5-g3pg
github.com/jenkinsci/stapler/commit/03e221a81e8424709d1fbdf72ab814309dd8e13f
jenkins.io/security/advisory/2018-07-18/
nvd.nist.gov/vuln/detail/CVE-2018-1999007
www.oracle.com/security-alerts/cpuapr2022.html

Code Behaviors & Features

Detect and mitigate CVE-2018-1999007 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →