Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04OHFqLTNxNmgtOG01cc4AAiCD
Jenkins Build Environment Plugin vulnerable to Cross-site Scripting
Build Environment Plugin did not escape values of environment variables shown on its views. This resulted in a cross-site scripting vulnerability exploitable by attackers able to control the values of build environment variables, typically users with Job/Configure or Job/Build permission.
Jenkins applies the missing escaping by default since 2.146 and LTS 2.138.2, so newer Jenkins releases are not affected by this vulnerability.
Build Environment Plugin now escapes all variables displayed in its views.
Permalink: https://github.com/advisories/GHSA-88qj-3q6h-8m5qJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04OHFqLTNxNmgtOG01cc4AAiCD
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 5 months ago
CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-88qj-3q6h-8m5q, CVE-2019-10395
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-10395
- https://jenkins.io/security/advisory/2019-09-12/#SECURITY-1476
- http://www.openwall.com/lists/oss-security/2019/09/12/2
- https://github.com/jenkinsci/build-environment-plugin/commit/c9797608e839d0dce1957e3c1b512b872839e603
- https://github.com/advisories/GHSA-88qj-3q6h-8m5q
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.plugins:build-environment
Affected Version Ranges: < 1.7Fixed in: 1.7