Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13M3BqLXY5anItdjJ3Y84AAg9n
Jenkins ElectricFlow Plugin is vulnerable to reflected cross site scripting vulnerability
The configuration forms of various post-build steps contributed by CloudBees CD Plugin were vulnerable to cross-site scripting.
This allowed attackers able to control the output of connected ElectricFlow servers' APIs to inject arbitrary HTML and JavaScript into the configuration form.
CloudBees CD Plugin no longer interprets HTML/JavaScript in responses from ElectricFlow server APIs on job configuration forms.
Permalink: https://github.com/advisories/GHSA-w3pj-v9jr-v2wcJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13M3BqLXY5anItdjJ3Y84AAg9n
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 5 months ago
CVSS Score: 4.7
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-w3pj-v9jr-v2wc, CVE-2019-10336
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-10336
- https://jenkins.io/security/advisory/2019-06-11/#SECURITY-1420
- http://www.openwall.com/lists/oss-security/2019/06/11/1
- https://web.archive.org/web/20200227033720/http://www.securityfocus.com/bid/108747
- https://github.com/jenkinsci/electricflow-plugin/commit/4550f86e75e0927be644958ed088e4fa82c783b7
- https://github.com/advisories/GHSA-w3pj-v9jr-v2wc
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.plugins:electricflow
Affected Version Ranges: <= 1.1.6Fixed in: 1.1.7