Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13cWpqLWM5Y3gtcTdjZs4AAQav
Jenkins Lockable Resources Plugin XSS vulnerability
A cross site scripting vulnerability in Jenkins Lockable Resources Plugin 2.4 and earlier allows attackers able to control resource names to inject arbitrary JavaScript in web pages rendered by the plugin.
Permalink: https://github.com/advisories/GHSA-wqjj-c9cx-q7cfJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13cWpqLWM5Y3gtcTdjZs4AAQav
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: 4 months ago
CVSS Score: 5.4
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-wqjj-c9cx-q7cf, CVE-2019-1003042
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-1003042
- https://access.redhat.com/errata/RHSA-2019:1423
- https://jenkins.io/security/advisory/2019-03-25/#SECURITY-1361
- http://www.openwall.com/lists/oss-security/2019/03/28/2
- http://www.securityfocus.com/bid/107628
- https://github.com/jenkinsci/lockable-resources-plugin/commit/4f401e250eb9e865e951b069255fea7052423739
- https://github.com/advisories/GHSA-wqjj-c9cx-q7cf
Blast Radius: 1.0
Affected Packages
maven:org.6wind.jenkins:lockable-resources
Affected Version Ranges: <= 2.4Fixed in: 2.5