Cross-Site Scripting in Jenkins Blue Ocean Plugins
CVE-2019-1003013

5.4MEDIUM

Key Information:

Vendor
Jenkins
Status
Jenkins Blue Ocean Plugins
Vendor
CVE Published:
6 February 2019

Summary

A cross-site scripting vulnerability exists in Jenkins Blue Ocean Plugins, specifically in certain components such as Export.java and UserStatePreloader.java. This flaw allows authenticated users who can edit their own descriptions to inject arbitrary HTML into the Blue Ocean interface, potentially compromising other users' sessions or data. This vulnerability arises due to improper handling of user inputs, leading to the possibility of executing malicious scripts in the context of the user's session.

Affected Version(s)

Jenkins Blue Ocean Plugins 1.10.1 and earlier

References

https://access.redhat.com/errata/RHBA-2019:0326
vendor-advisoryx_refsource_REDHAT
https://jenkins.io/security/advisory/2019-01-28/#SECURITY...
x_refsource_CONFIRM
https://access.redhat.com/errata/RHBA-2019:0327
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.