CVE-2019-1003014

CWE-79 — Cross-site Scripting (XSS)7 documents7 sources

Severity

4.8MEDIUM

EPSS

0.1%

top 80.21%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Config File Provider Jenkins Project Jenkins Config File Provider Plugin Redhat Openshift Container Platform

Timeline

PublishedFeb 6

Latest updateMay 13

Description

An cross-site scripting vulnerability exists in Jenkins Config File Provider Plugin 3.4.1 and earlier in src/main/resources/lib/configfiles/configfiles.jelly that allows attackers with permission to define shared configuration files to execute arbitrary JavaScript when a user attempts to delete the shared configuration file.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages3 packages

▶Mavenorg.jenkins-ci.plugins:config-file-provider< 3.5

▶CVEListV5jenkins_project/jenkins_config_file_provider_plugin3.4.1 and earlier

▶NVDjenkins/config_file_provider3.4.1

Also affects: Openshift Container Platform 3.11

🔴Vulnerability Details

GHSA

Jenkins Config File Provider Plugin XSS vulnerability↗2022-05-13

▶

OSV

Jenkins Config File Provider Plugin XSS vulnerability↗2022-05-13

▶

CVEList

CVE-2019-1003014: An cross-site scripting vulnerability exists in Jenkins Config File Provider Plugin 3↗2019-02-06

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2019-01-28↗2019-01-28

▶

Red Hat

jenkins-plugin-config-file-provider: Stored XSS vulnerability in Config File Provider Plugin (SECURITY-1253)↗2019-01-28

▶

💬Community

Bugzilla

CVE-2019-1003014 jenkins-plugin-config-file-provider: Stored XSS vulnerability in Config File Provider Plugin (SECURITY-1253)↗2019-01-31

▶