CVE-2018-1999007

MEDIUM

Jenkins < 2.121.1 - Cross-Site Scripting via Stapler Debug Mode HTTP 404 Error Page

Title source: llm

Description

A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers with the ability to control the existence of some URLs in Jenkins to define JavaScript that would be executed in another user's browser when that other user views HTTP 404 error pages while Stapler debug mode is enabled.

References (2)

Core 2

Core References

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpuapr2022.html

Vendor Advisory x_refsource_confirm

https://jenkins.io/security/advisory/2018-07-18/#SECURITY-390

Scores

CVSS v3 5.4

EPSS 0.0016

EPSS Percentile 36.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (4)

jenkins/jenkins < 2.121.1

oracle/communications_cloud_native_core_automated_test_suite 1.9.0

org.jenkins-ci.main/jenkins-core 0 - 2.121.2Maven

org.kohsuke.stapler/stapler-parent 0 - 1.250.1Maven

Published Jul 23, 2018

Tracked Since Feb 18, 2026