Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1meDlwLTJxdngtcGdqds4AAg98
Jenkins ElectricFlow Plugin is vulnerable to stored cross site scripting vulnerability
The plugin adds metadata displayed on build pages during its operations.
Any user content was not escaped, resulting in a cross-site scripting vulnerability allowing users with Job/Configure permission, or attackers controlling API responses received from ElectricFlow to render arbitrary HTML and JavaScript on Jenkins build pages.
Build metadata is now filtered through a HTML formatter that only allows showing basic HTML, neutralizing any unsafe data. Additionally, all builds executed after the security update is applied will now properly escape content received from ElectricFlow.
Permalink: https://github.com/advisories/GHSA-fx9p-2qvx-pgjvJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1meDlwLTJxdngtcGdqds4AAg98
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 5 months ago
CVSS Score: 5.4
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-fx9p-2qvx-pgjv, CVE-2019-10335
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-10335
- https://jenkins.io/security/advisory/2019-06-11/#SECURITY-1412
- http://www.openwall.com/lists/oss-security/2019/06/11/1
- https://web.archive.org/web/20200227033720/http://www.securityfocus.com/bid/108747
- https://github.com/jenkinsci/electricflow-plugin/commit/1a90ee7727f8c6925df3e410837ddf6be28cce53
- https://github.com/advisories/GHSA-fx9p-2qvx-pgjv
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.plugins:electricflow
Affected Version Ranges: <= 1.1.6Fixed in: 1.1.7