CVE-2019-1003013

5.4MEDIUM

Key Information:

Vendor
Jenkins
Status
Jenkins Blue Ocean Plugins
Vendor
CVE Published:
6 February 2019

Summary

An cross-site scripting vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/Export.java, blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/ExportConfig.java, blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/JSONDataWriter.java, blueocean-rest-impl/src/main/java/io/jenkins/blueocean/service/embedded/UserStatePreloader.java, blueocean-web/src/main/resources/io/jenkins/blueocean/PageStatePreloadDecorator/header.jelly that allows attackers with permission to edit a user's description in Jenkins to have Blue Ocean render arbitrary HTML when using it as that user.

Affected Version(s)

Jenkins Blue Ocean Plugins 1.10.1 and earlier

References

https://access.redhat.com/errata/RHBA-2019:0326
vendor-advisoryx_refsource_REDHAT
https://jenkins.io/security/advisory/2019-01-28/#SECURITY...
x_refsource_CONFIRM
https://access.redhat.com/errata/RHBA-2019:0327
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.