Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jeDVyLXA0dmotMm1xaM4AAhnw
Jenkins Build Pipeline Plugin vulnerable to Cross-site Scripting
Build Pipeline Plugin does not properly escape variables in views, resulting in a stored cross-site scripting vulnerability exploitable by users with permission to configure build pipelines.
This vulnerability is only exploitable on Jenkins releases older than 2.146 or 2.138.2 due to the security hardening implemented in those releases.
As of publication of this advisory, there is no fix.
Permalink: https://github.com/advisories/GHSA-cx5r-p4vj-2mqhJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jeDVyLXA0dmotMm1xaM4AAhnw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: about 1 year ago
CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-cx5r-p4vj-2mqh, CVE-2019-10373
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-10373
- https://jenkins.io/security/advisory/2019-08-07/#SECURITY-879
- http://www.openwall.com/lists/oss-security/2019/08/07/1
- https://github.com/advisories/GHSA-cx5r-p4vj-2mqh
Affected Packages
maven:org.jenkins-ci.plugins:build-pipeline-plugin
Affected Version Ranges: <= 1.5.8No known fixed version