The Total Economic Impact of CloudBees - commissioned study shows cost savings of $30.9 million using CloudBees for CI/CD →

CloudBees Security Advisory 2017-11-16

This advisory announces vulnerabilities in these Jenkins plugins:

Reflected Cross-Site Scripting vulnerability in Delivery Pipeline plugin

SECURITY-640 / CVE-2017-1000404

Delivery Pipeline Plugin used the unescaped content of the query parameter fullscreen in its JavaScript, resulting in a cross-site scripting vulnerability through specially crafted URLs.

The plugin now converts the value to a boolean (true/false) and inserts that into the page instead.

Severity

The following plugin versions are affected:

  • Delivery Pipeline Plugin up to and including 1.0.7

Fix

  • Delivery Pipeline Plugin should be updated to version 1.0.8

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated

More Security Advisories

From code to customer.

Continuously advancing your business.

© 2024 CloudBees, Inc., CloudBees® and the Infinity logo® are registered trademarks of CloudBees, Inc. in the United States and may be registered in other countries. Other products or brand names may be trademarks or registered trademarks of CloudBees, Inc. or their respective holders. Jenkins® is a registered trademark of LF Charities Inc.