CVE-2024-28149: Jenkins HTML Publisher Plugin does not properly sanitize input

March 6, 2024

Jenkins HTML Publisher Plugin 1.16 through 1.32 (both inclusive) does not properly sanitize input, allowing attackers with Item/Configure permission to implement cross-site scripting (XSS) attacks and to determine whether a path on the Jenkins controller file system exists.

References

github.com/advisories/GHSA-8vcg-v7g4-3vr7
github.com/jenkinsci/htmlpublisher-plugin
github.com/jenkinsci/htmlpublisher-plugin/commit/8bf2e2297a86ad50f7567fb953b2f8ec18b2891b
nvd.nist.gov/vuln/detail/CVE-2024-28149
www.jenkins.io/security/advisory/2024-03-06/

Detect and mitigate CVE-2024-28149 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →