CVE-2018-1000413
Description
A cross-site scripting vulnerability exists in Jenkins Config File Provider Plugin 3.1 and earlier in configfiles.jelly, providerlist.jelly that allows users with the ability to configure configuration files to insert arbitrary HTML into some pages in Jenkins.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS vulnerability in Jenkins Config File Provider Plugin 3.1 and earlier allows users with configuration file permissions to inject arbitrary HTML into pages.
Vulnerability
Config File Provider Plugin prior to version 3.2 does not escape configuration file metadata when displaying it in configfiles.jelly and providerlist.jelly. This allows users with the ability to configure configuration files (i.e., Overall/Administer or Item/Configure permissions) to insert arbitrary HTML and JavaScript into the Jenkins UI. Affected versions are 3.1 and earlier [1].
Exploitation
An attacker must have permission to configure configuration files. They can craft a malicious configuration file with injected script in metadata fields. When any user views a page that lists configuration files, the injected script executes in the victim's browser within the Jenkins session.
Impact
Successful exploitation results in stored cross-site scripting (XSS). An attacker can execute arbitrary JavaScript in the context of Jenkins, potentially leading to session hijacking, sensitive data access, or unauthorized actions.
Mitigation
Upgrade to Config File Provider Plugin version 3.2 or later, which escapes metadata values. The fix also includes adding @POST annotations to prevent cross-site request forgery [3]. No workaround is available.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:config-file-providerMaven | < 3.2 | 3.2 |
Affected products
2- Range: 2.8.1, config-file-provider-2.10.0, config-file-provider-2.10.1, …
Patches
15c1df554e44b[SECURITY-938][SECURITY-1080]
4 files changed · +14 −8
src/main/java/org/jenkinsci/plugins/configfiles/ConfigFilesManagement.java+3 −0 modified@@ -47,6 +47,7 @@ of this software and associated documentation files (the "Software"), to deal import org.kohsuke.stapler.StaplerProxy; import org.kohsuke.stapler.StaplerRequest; import org.kohsuke.stapler.StaplerResponse; +import org.kohsuke.stapler.verb.POST; /** * Provides a new link in the "Manage Jenkins" view and builds the UI to manage the configfiles. @@ -131,6 +132,7 @@ public Collection<Config> getConfigs() { * @param req * @return */ + @POST public HttpResponse doSaveConfig(StaplerRequest req) { checkPermission(Hudson.ADMINISTER); try { @@ -189,6 +191,7 @@ public void doEditConfig(StaplerRequest req, StaplerResponse rsp, @QueryParamete * @throws IOException * @throws ServletException */ + @POST public void doAddConfig(StaplerRequest req, StaplerResponse rsp, @QueryParameter("providerId") String providerId, @QueryParameter("configId") String configId) throws IOException, ServletException { checkPermission(Hudson.ADMINISTER);
src/main/java/org/jenkinsci/plugins/configfiles/folder/FolderConfigFileAction.java+3 −0 modified@@ -41,6 +41,7 @@ import jenkins.model.TransientActionFactory; import net.sf.json.JSONObject; +import org.kohsuke.stapler.verb.POST; public class FolderConfigFileAction implements Action, ConfigFilesUIContract, StaplerProxy { @@ -116,6 +117,7 @@ public List<ConfigProvider> getProviders() { } @Override + @POST public HttpResponse doSaveConfig(StaplerRequest req) throws IOException, ServletException { checkPermission(Item.CONFIGURE); try { @@ -175,6 +177,7 @@ public void doEditConfig(StaplerRequest req, StaplerResponse rsp, @QueryParamete @Override + @POST public void doAddConfig(StaplerRequest req, StaplerResponse rsp, @QueryParameter("providerId") String providerId, @QueryParameter("configId") String configId) throws IOException, ServletException { checkPermission(Item.CONFIGURE);
src/main/resources/lib/configfiles/configfiles.jelly+4 −4 modified@@ -37,7 +37,7 @@ THE SOFTWARE. <tr valign="center" style="border-top: 0px;"> <td class="pane-header" colspan="2"> <i> - <j:out value="${pEntry.key.displayName}"/> + ${pEntry.key.displayName} </i> </td> </tr> @@ -56,16 +56,16 @@ THE SOFTWARE. </td> <td> <i> - <j:out value="${t.name}"/> + ${t.name} </i> </td> </tr> <tr> <td> - <j:out value="${t.contentType}"/> + ${t.contentType} </td> <td> - <j:out value="${t.comment}"/> + ${t.comment} </td> </tr> </j:forEach>
src/main/resources/lib/configfiles/providerlist.jelly+4 −4 modified@@ -36,7 +36,7 @@ THE SOFTWARE. <table class="pane"> <tr valign="center" style="border-top: 0px;"> <td class="pane-header" colspan="2"> - <i><j:out value="${p.displayName}" /></i> + <i>${p.displayName}</i> </td> </tr> <j:forEach var="t" items="${p.allConfigs}"> @@ -53,12 +53,12 @@ THE SOFTWARE. </a> </td> <td > - <i><j:out value="${t.name}" /></i> + <i>${t.name}</i> </td> </tr> <tr> - <td><j:out value="${t.contentType}" /></td> - <td><j:out value="${t.comment}" /></td> + <td>${t.contentType}</td> + <td>${t.comment}</td> </tr> </j:forEach> </table>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-vwfm-42q6-qj75ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-1000413ghsaADVISORY
- www.securityfocus.com/bid/106532ghsavdb-entryx_refsource_BIDWEB
- github.com/jenkinsci/config-file-provider-plugin/commit/5c1df554e44b712e5d926b8d5557c592bf9f0a33ghsaWEB
- jenkins.io/security/advisory/2018-09-25/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.