CVE-2016-4988 Jenkins CVE debrief

Who should care

Jenkins administrators, security teams, and anyone running the Build Failure Analyzer plugin on versions earlier than 1.16.0 should treat this as relevant. Any environment where users can view plugin-generated pages or content in Jenkins is in scope.

Technical summary

NVD classifies this issue as CWE-79 (Cross-site Scripting) with CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, scored 6.1 (Medium). The vulnerable component is the Jenkins Build Failure Analyzer plugin, affected before 1.16.0. The flaw allows a remote attacker to inject arbitrary web script or HTML via an unspecified parameter; user interaction is required for impact.

Defensive priority

Medium priority. The issue is network-reachable and can affect confidentiality and integrity, but it requires user interaction and is limited to installations using the vulnerable plugin version.

Recommended defensive actions

• Upgrade the Jenkins Build Failure Analyzer plugin to version 1.16.0 or later.
• Confirm which Jenkins instances have the Build Failure Analyzer plugin installed and verify the version in use.
• Review any Jenkins pages or plugin output that render user-controlled input and ensure proper output encoding is in place.
• Use the Jenkins vendor advisory to validate remediation steps and confirm the vulnerable component is no longer deployed.

Evidence notes

The supplied NVD record identifies the affected CPE as jenkins:build_failure_analyzer with versionEndExcluding 1.16.0 and maps the weakness to CWE-79. NVD also links the Jenkins Security Advisory 2016-06-20 as the vendor advisory. Per the supplied timeline, the CVE was published on 2017-02-09 and last modified on 2026-05-13.

Official resources