CVE-2018-1000144

Vulnerability

The Jenkins Cucumber Living Documentation Plugin, versions 1.0.12 and older, contains a cross-site scripting (XSS) vulnerability in the CukedoctorBaseAction#doDynamic method. This action disables the Content-Security-Policy (CSP) HTTP headers that Jenkins normally applies to protect users when viewing archived artifacts and workspace files via DirectoryBrowserSupport. The CSP was introduced in Jenkins 1.641 and 1.625.3 (SECURITY-95) to prevent XSS attacks, but the plugin explicitly removes that protection for the duration of the Jenkins session [1][2].

Exploitation

An attacker must be able to control the content of a file stored in a Jenkins archived artifact or workspace — for example, by having write access to a job's workspace or by uploading a malicious artifact through a build process. When a Jenkins user visits the living documentation page for that job, the attacker-controlled file's content will be rendered without CSP protection. No additional user interaction (beyond the victim viewing the affected page) is required, and the attack does not require Jenkins authentication beyond what is needed to store the malicious file [1][2].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's Jenkins session. This could lead to theft of credentials, session hijacking, or arbitrary actions performed on behalf of the victim Jenkins user. The attack scope is bounded by the permissions of the victim user but can include full Jenkins controller compromise if the victim is an administrator [1][2].

Mitigation

The vulnerability was fixed in Cucumber Living Documentation Plugin version 1.1.0, released on 2018-03-26 as part of the Jenkins Security Advisory [1]. Users should upgrade to version 1.1.0 or later. Workarounds are not provided for versions 1.0.12 and older. This CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.