CVE-2017-1000404
Description
Jenkins Delivery Pipeline Plugin ≤1.0.7 has a reflected XSS via the unescaped 'fullscreen' query parameter in its JavaScript.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Delivery Pipeline Plugin ≤1.0.7 has a reflected XSS via the unescaped 'fullscreen' query parameter in its JavaScript.
Vulnerability
The Jenkins Delivery Pipeline Plugin versions 1.0.7 and earlier use the unescaped content of the query parameter fullscreen directly in its JavaScript, leading to a reflected cross-site scripting (XSS) vulnerability [1][2]. This flaw affects all versions up to and including 1.0.7 [2].
Exploitation
An attacker can craft a URL containing malicious JavaScript in the fullscreen query parameter and trick a victim into clicking that link. No authentication is required to trigger the reflection; the victim must only visit the crafted URL while using a browser that can render the plugin's page [1][2].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser within the context of the Jenkins session. This can lead to access to session tokens, UI manipulation, or further attacks against the Jenkins instance [1][2].
Mitigation
Users should update the Delivery Pipeline Plugin to version 1.0.8, released on 2017-11-16, which no longer reflects the raw input but converts the value to a boolean (true/false) before insertion [2]. No workaround is provided for earlier versions; upgrading is the only fix [2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
se.diabol.jenkins.pipeline:delivery-pipeline-pluginMaven | < 1.0.8 | 1.0.8 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
5- github.com/advisories/GHSA-g364-c7w5-93whghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-1000404ghsaADVISORY
- www.securityfocus.com/bid/101927ghsavdb-entryx_refsource_BIDWEB
- jenkins.io/security/advisory/2017-11-16ghsaWEB
- jenkins.io/security/advisory/2017-11-16/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.