Vulnerability Description
Some URLs provided by Jenkins global-build-stats plugin version 1.4 and earlier returned a JSON response that contained request parameters. These responses had the Content Type: text/html, so could have been interpreted as HTML by clients, resulting in a potential reflected cross-site scripting vulnerability. Additionally, some URLs provided by global-build-stats plugin that modify data did not require POST requests to be sent, resulting in a potential cross-site request forgery vulnerability.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Jenkins | Global-Build-Stats | <= 1.4 |
Related Weaknesses (CWE)
References
- https://jenkins.io/security/advisory/2017-10-23/Vendor Advisory
- https://jenkins.io/security/advisory/2017-10-23/Vendor Advisory
FAQ
What is CVE-2017-1000389?
CVE-2017-1000389 is a vulnerability with a CVSS score of 6.1 (MEDIUM). Some URLs provided by Jenkins global-build-stats plugin version 1.4 and earlier returned a JSON response that contained request parameters. These responses had the Content Type: text/html, so could ha...
How severe is CVE-2017-1000389?
CVE-2017-1000389 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-1000389?
Check the references section above for vendor advisories and patch information. Affected products include: Jenkins Global-Build-Stats.