Jenkins S3 Publisher Plugin CVE-2018-1000177 HTML Injection Vulnerability

Bugtraq ID:	104221
Class:	Input Validation Error
CVE:	CVE-2018-1000177
Remote:	Yes
Local:	No
Published:	Apr 16 2018 12:00AM
Updated:	Apr 16 2018 12:00AM
Credit:	Oleg Nenashev, CloudBees, Inc.
Vulnerable:	Jenkins-Ci S3 Publisher Plugin 0.10.12
Not Vulnerable:	Jenkins-Ci S3 Publisher Plugin 0.11

Jenkins S3 Publisher Plugin CVE-2018-1000177 HTML Injection Vulnerability

S3 Publisher Plugin for Jenkins is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input.

Successful exploits will result in the execution of arbitrary attacker-supplied HTML and script code in the context of the affected application, potentially allowing the attacker to steal cookie-based authentication credentials or control how the page is rendered to the user. Other attacks are also possible.

S3 Publisher Plugin 0.10.12 and prior versions are vulnerable.

Jenkins S3 Publisher Plugin CVE-2018-1000177 HTML Injection Vulnerability

An attacker can exploit this issue using a web browser.

Jenkins S3 Publisher Plugin CVE-2018-1000177 HTML Injection Vulnerability

Solution:
Updates are available. Please see the references or vendor advisory for more information.