GHSA-q7jx-r75r-hgj2

Suggest an improvement
Source
https://github.com/advisories/GHSA-q7jx-r75r-hgj2
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-q7jx-r75r-hgj2/GHSA-q7jx-r75r-hgj2.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-q7jx-r75r-hgj2
Aliases
Published
2022-05-14T03:23:50Z
Modified
2023-11-08T03:59:35.819988Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
Jenkins Cucumber Living Documentation Plugin Cross-site Scripting vulnerability
Details

A cross site scripting vulnerability exists in Jenkins Cucumber Living Documentation Plugin 1.0.12 and older in CukedoctorBaseAction#doDynamic that disables the Content-Security-Policy protection for archived artifacts and workspace files, allowing attackers able to control the content of these files to attack Jenkins users. This has been addressed in version 1.1.0 of the plugin, and it will now request that users change the Content-Security-Policy option in Jenkins.

References

Affected packages

Maven / org.jenkins-ci.plugins:cucumber-living-documentation

Package

Name
org.jenkins-ci.plugins:cucumber-living-documentation
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.plugins/cucumber-living-documentation

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.1.0

Affected versions

1.*

1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.0.9
1.0.10
1.0.11
1.0.12

Database specific

{
    "last_known_affected_version_range": "<= 1.0.12"
}