CVE-2017-1000386

EPSS 0.04%
Veröffentlicht 26.01.2018 02:29:00
Zuletzt bearbeitet 21.11.2024 03:04:36
Quelle cve@mitre.org
Teams Watchlist Login
Unerledigt Login

Jenkins Active Choices plugin version 1.5.3 and earlier allowed users with Job/Configure permission to provide arbitrary HTML to be shown on the 'Build With Parameters' page through the 'Active Choices Reactive Reference Parameter' type. This could include, for example, arbitrary JavaScript. Active Choices now sanitizes the HTML inserted on the 'Build With Parameters' page if and only if the script is executed in a sandbox. As unsandboxed scripts are subject to administrator approval, it is up to the administrator to allow or disallow problematic script output.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Jenkins ≫ Active Choices SwPlatformjenkins Version <= 1.5.2

Jenkins ≫ Active Choices Version1.5.3 Update-

Jenkins ≫ Active Choices Version1.5.3 Updatealpha SwPlatformjenkins

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.04%	0.126

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.4	2.3	2.7	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov	3.5	6.8	2.9	AV:N/AC:M/Au:S/C:N/I:P/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

http://www.securityfocus.com/bid/101538

Third Party Advisory

VDB Entry

https://jenkins.io/security/advisory/2017-10-23/

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2017-1000386

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2017-1000386

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2017-1000386

EUVD