[MAVEN:GHSA-Q7JX-R75R-HGJ2] Jenkins Cucumber Living Documentation Plugin Cross-site Scripting vulnerability

Severity Moderate

Affected Packages 1

Fixed Packages 1

CVEs 1

A cross site scripting vulnerability exists in Jenkins Cucumber Living Documentation Plugin 1.0.12 and older in CukedoctorBaseAction#doDynamic that disables the Content-Security-Policy protection for archived artifacts and workspace files, allowing attackers able to control the content of these files to attack Jenkins users. This has been addressed in version 1.1.0 of the plugin, and it will now request that users change the Content-Security-Policy option in Jenkins.

Package	Affected Version
pkg:maven/org.jenkins-ci.plugins/cucumber-living-documentation	<= 1.0.12

Package	Fixed Version
pkg:maven/org.jenkins-ci.plugins/cucumber-living-documentation	= 1.1.0

ID

MAVEN:GHSA-Q7JX-R75R-HGJ2

Severity

moderate

URL

https://github.com/advisories/GHSA-q7jx-r75r-hgj2

Published

2022-05-14T03:23:50
(2 years ago)

Modified

2023-01-28T05:04:13
(19 months ago)

Rights

Maven Security Team

Other Advisories

JENKINS:SECURITY-308

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2018-1000144
			https://jenkins.io/security/advisory/2018-03-26/#SECURITY-308
			https://github.com/advisories/GHSA-q7jx-r75r-hgj2

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:maven/org.jenkins-ci.plugins/cucumber-living-documentation	org.jenkins-ci.plugins	cucumber-living-documentation	<= 1.0.12
Fixed	pkg:maven/org.jenkins-ci.plugins/cucumber-living-documentation	org.jenkins-ci.plugins	cucumber-living-documentation	= 1.1.0

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date