CVE-2018-1999007

2018-07-2319:29:00

Google

osv.dev

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

5.7 Medium

AI Score

Confidence

High

3.5 Low

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

0.001 Low

EPSS

Percentile

19.7%

JSON

A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework’s org/kohsuke/stapler/Stapler.java that allows attackers with the ability to control the existence of some URLs in Jenkins to define JavaScript that would be executed in another user’s browser when that other user views HTTP 404 error pages while Stapler debug mode is enabled.

CPENameOperatorVersion
jenkinseqjenkins-2.131
jenkinseqjenkins-2.132
jenkinseqjenkins-2.130
jenkinseqjenkins-2.124
jenkinseqjenkins-2.128
jenkinseqjenkins-2.129
jenkinseqjenkins-2.127
jenkinseqjenkins-2.122
jenkinseqjenkins-2.125
jenkinseqjenkins-2.126

Name	Operator	Version
jenkins	eq	jenkins-2.131
jenkins	eq	jenkins-2.132
jenkins	eq	jenkins-2.130
jenkins	eq	jenkins-2.124
jenkins	eq	jenkins-2.128
jenkins	eq	jenkins-2.129
jenkins	eq	jenkins-2.127
jenkins	eq	jenkins-2.122
jenkins	eq	jenkins-2.125
jenkins	eq	jenkins-2.126