CVE-2018-1999029

Vulnerability

Jenkins Shelve Project Plugin version 1.5 and earlier contains a cross-site scripting (XSS) vulnerability in the ShelveProjectAction/index.jelly and ShelvedProjectsAction/index.jelly views. Attackers with Job/Configure permission can inject malicious JavaScript that gets stored and executed in another user's browser when that user performs UI actions on these views [1][2].

Exploitation

An attacker must have Job/Configure permission for a Jenkins job. They can define JavaScript in the affected Jelly views, which will be rendered and executed when another user (e.g., a project administrator or user with view access) interacts with the shelve project UI [1].

Impact

Successful exploitation leads to stored cross-site scripting (XSS). The injected JavaScript executes in the context of the victim's browser, potentially allowing the attacker to perform actions on behalf of the victim, such as modifying job configurations, viewing sensitive data, or performing other Jenkins operations with the victim's privileges [1][2].

Mitigation

The Jenkins Security Advisory 2018-07-30 recommends updating to a fixed version. As of the advisory date (2018-07-30), users should upgrade to a version beyond 1.5 that includes the fix. No workaround is mentioned in the provided references. The plugin may have been fixed in a later release; verify and update if available [1].