CVE-2019-1003050 — Cross-site Scripting in Jenkins

CWE-79 — Cross-site Scripting8 documents7 sources

Severity

5.4MEDIUMNVD

EPSS

0.9%

top 23.86%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Jenkins Project Jenkins Oracle Communications Cloud Native Core Automated Test Suite +1 more

Timeline

PublishedApr 10

Latest updateMay 13

Description

The f:validateButton form control for the Jenkins UI did not properly escape job URLs in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, resulting in a cross-site scripting (XSS) vulnerability exploitable by users with the ability to control job names.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

▶NVDjenkins/jenkins2.164.1+1

▶CVEListV5jenkins_project/jenkins2.171 and earlier, LTS 2.164.1 and earlier

▶NVDoracle/communications_cloud_native_core_automated_test_suite1.9.0

Also affects: Openshift Container Platform 3.11

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

OSV

Improper Neutralization of Input During Web Page Generation in Jenkins↗2022-05-13

▶

GHSA

Improper Neutralization of Input During Web Page Generation in Jenkins↗2022-05-13

▶

CVEList

CVE-2019-1003050: The f:validateButton form control for the Jenkins UI did not properly escape job URLs in Jenkins 2↗2019-04-10

▶

📋Vendor Advisories

Red Hat

jenkins: Improper escaping of job URLs in f:validateButton leads to cross-site scripting vulnerability.↗2019-04-10

▶

Jenkins

Jenkins Security Advisory 2019-04-10↗2019-04-10

▶

💬Community

Bugzilla

CVE-2019-1003050 jenkins: Improper escaping of job URLs in f:validateButton leads to cross-site scripting vulnerability. [fedora-all]↗2019-04-12

▶

Bugzilla

CVE-2019-1003050 jenkins: Improper escaping of job URLs in f:validateButton leads to cross-site scripting vulnerability.↗2019-04-12

▶