====================================================================

                              CERT-Renater

                 Note d'Information No. 2017/VULN350
_____________________________________________________________________

DATE                : 16/11/2017

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Delivery Pipeline for Jenkins
                              versions prior to 1.0.8.

=====================================================================
https://jenkins.io/security/advisory/2017-11-16/
_______________________________________________________________

Jenkins Security Advisory 2017-11-16

This advisory announces vulnerabilities in these Jenkins plugins:

    Delivery Pipeline


Description

Reflected Cross-Site Scripting vulnerability in Delivery Pipeline plugin

SECURITY-640 / CVE pending

Delivery Pipeline Plugin used the unescaped content of the query
parameter fullscreen in its JavaScript, resulting in a cross-site
scripting vulnerability through specially crafted URLs.

The plugin now converts the value to a boolean (true/false) and inserts
that into the page instead.


Severity

    SECURITY-640: medium


Affected versions

    Delivery Pipeline Plugin up to and including 1.0.7


Fix

    Delivery Pipeline Plugin should be updated to version 1.0.8

These versions include fixes to the vulnerabilities described above.
All prior versions are considered to be affected by these
vulnerabilities unless otherwise indicated.


Credit

The Jenkins project would like to thank the reporters for discovering
and reporting these vulnerabilities:

    Viktor Gazdag of NCC Group for SECURITY-640


==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================