CVE-2019-10404
published 2019-09-25CVE-2019-10404: Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the reason why a queue items is blcoked in tooltips, resulting in a stored XSS vulnerability…
PriorityP425medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
1.03%
59.5th percentile
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the reason why a queue items is blcoked in tooltips, resulting in a stored XSS vulnerability exploitable by users able to control parts of the reason a queue item is blocked, such as label expressions not matching any idle executors.
Affected
29 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | application_director_plugin | — | — |
| jenkins | aqua_microscanner_plugin | — | — |
| jenkins | aqua_security_scanner_plugin | — | — |
| jenkins | assembla_plugin | — | — |
| jenkins | azure_event_grid_build_notifier_plugin | — | — |
| jenkins | call_remote_job_plugin | — | — |
| jenkins | cd_plugin | — | — |
| jenkins | codescan_plugin | — | — |
| jenkins | gem_publisher_plugin | — | — |
| jenkins | git_changelog_plugin | — | — |
| jenkins | gitlab_logo_plugin | — | — |
| jenkins | google_calendar_plugin | — | — |
| jenkins | inedo_buildmaster_plugin | — | — |
| jenkins | inedo_proget_plugin | — | — |
| jenkins | jenkins | <= 2.176.3 | — |
| jenkins | jenkins | <= 2.196 | — |
| jenkins | jenkins_core | — | — |
| jenkins | jenkins_instance_with_this_plugin | — | — |
| jenkins | jenkins_lts | — | — |
| jenkins | jenkins_weekly | — | — |
| jenkins | kubernetes_pipeline_arquillian_steps_plugin | — | — |
| jenkins | kubernetes_pipeline_kubernetes_steps_plugin | — | — |
| jenkins | log_parser_plugin | — | — |
| jenkins | mask_password_plugin | — | — |
| jenkins | mask_passwords_plugin | — | — |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
vendor_redhat5.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Improper Neutralization of Input During Web Page Generation in Jenkins
ghsa·2022-05-24
CVE-2019-10404 [MEDIUM] CWE-79 Improper Neutralization of Input During Web Page Generation in Jenkins
Improper Neutralization of Input During Web Page Generation in Jenkins
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the reason why a queue items is blcoked in tooltips, resulting in a stored XSS vulnerability exploitable by users able to control parts of the reason a queue item is blocked, such as label expressions not matching any idle executors.
OSV
Improper Neutralization of Input During Web Page Generation in Jenkins
osv·2022-05-24
CVE-2019-10404 [MEDIUM] Improper Neutralization of Input During Web Page Generation in Jenkins
Improper Neutralization of Input During Web Page Generation in Jenkins
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the reason why a queue items is blcoked in tooltips, resulting in a stored XSS vulnerability exploitable by users able to control parts of the reason a queue item is blocked, such as label expressions not matching any idle executors.
Jenkins
Jenkins Security Advisory 2019-09-25
vendor_jenkins·2019-09-25·CVSS 5.4
CVE-2019-10401 [MEDIUM] Jenkins Security Advisory 2019-09-25
Title: Jenkins Security Advisory 2019-09-25
Jenkins Security Advisory 2019-09-25
Jenkins Security Home
For Administrators
Overview
Terminology
Vulnerabilities and Scoring
Security Advisories
Security Issues
Advisory Schedule
Vulnerabilities in Plugins
How We Fix Security Issues
For Reporters
Reporting Vulnerabilities
Jenkins CNA
For Maintainers
Overview
Vulnerabilities in Plugins
Jenkins Security Team
About
Contributions
This advisory announces vulnerabilities in the following Jenkins deliverables:
Jenkins (core)
Aqua MicroScanner
Plugin
Aqua Security Scanner
Plugin
Assembla
Plugin
Azure Event Grid Build Notifier
Plugin
Call Remote Job
Plugin
CodeScan
Plugin
D
Red Hat
jenkins: Stored XSS vulnerability in queue item tooltip
vendor_redhat·2019-09-25·CVSS 5.4
CVE-2019-10404 [MEDIUM] CWE-79 jenkins: Stored XSS vulnerability in queue item tooltip
jenkins: Stored XSS vulnerability in queue item tooltip
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the reason why a queue items is blcoked in tooltips, resulting in a stored XSS vulnerability exploitable by users able to control parts of the reason a queue item is blocked, such as label expressions not matching any idle executors.
Package: jenkins (Red Hat OpenShift Container Platform 3.10) - Out of support scope
Package: jenkins (Red Hat OpenShift Container Platform 3.9) - Out of support scope
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-10401 CVE-2019-10402 CVE-2019-10403 CVE-2019-10404 CVE-2019-10405 CVE-2019-10406 jenkins: various flaws [fedora-all]
bugzilla·2019-10-23·CVSS 5.4
CVE-2019-10401 [MEDIUM] CVE-2019-10401 CVE-2019-10402 CVE-2019-10403 CVE-2019-10404 CVE-2019-10405 CVE-2019-10406 jenkins: various flaws [fedora-all]
CVE-2019-10401 CVE-2019-10402 CVE-2019-10403 CVE-2019-10404 CVE-2019-10405 CVE-2019-10406 jenkins: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE
Bugzilla
CVE-2019-10404 jenkins: Stored XSS vulnerability in queue item tooltip
bugzilla·2019-10-22·CVSS 5.4
CVE-2019-10404 [MEDIUM] CVE-2019-10404 jenkins: Stored XSS vulnerability in queue item tooltip
CVE-2019-10404 jenkins: Stored XSS vulnerability in queue item tooltip
Jenkins did not escape the reason a queue item is blocked in tooltips. This resulted in a cross-site scripting vulnerability exploitable by attackers able to control the reason a queue item is blocked, for example a label expression that does not match idle executors.
References:
https://jenkins.io/security/advisory/2019-09-25/#SECURITY-1537%20(2)
Discussion:
Created jenkins tracking bugs for this issue:
Affects: fedora-all [bug 1764477]
2019-09-25
Published