This advisory announces vulnerabilities in these Jenkins plugins:
SECURITY-640 / CVE-2017-1000404
Delivery Pipeline Plugin used the unescaped content of the query parameter fullscreen in its JavaScript, resulting in a cross-site scripting vulnerability through specially crafted URLs.
The plugin now converts the value to a boolean (true/false) and inserts that into the page instead.
SECURITY-640: medium
Delivery Pipeline Plugin should be updated to version 1.0.8
These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.
The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:
Viktor Gazdag of NCC Group for SECURITY-640