CVE-2019-10406 — Cross-site Scripting in Jenkins

CWE-79 — Cross-site Scripting8 documents7 sources

Severity

4.8MEDIUMNVD

EPSS

0.4%

top 38.26%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Jenkins Project Jenkins

Timeline

PublishedSep 25

Latest updateMay 24

Description

Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not restrict or filter values set as Jenkins URL in the global configuration, resulting in a stored XSS vulnerability exploitable by attackers with Overall/Administer permission.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages2 packages

▶NVDjenkins/jenkins2.176.3+1

▶CVEListV5jenkins_project/jenkins2.196 and earlier, LTS 2.176.3 and earlier

🔴Vulnerability Details

GHSA

Improper Neutralization of Input During Web Page Generation in Jenkins↗2022-05-24

▶

OSV

Improper Neutralization of Input During Web Page Generation in Jenkins↗2022-05-24

▶

CVEList

CVE-2019-10406: Jenkins 2↗2019-09-25

▶

📋Vendor Advisories

Red Hat

jenkins: XSS vulnerability in Jenkins URL setting↗2019-09-25

▶

Jenkins

Jenkins Security Advisory 2019-09-25↗2019-09-25

▶

💬Community

Bugzilla

CVE-2019-10401 CVE-2019-10402 CVE-2019-10403 CVE-2019-10404 CVE-2019-10405 CVE-2019-10406 jenkins: various flaws [fedora-all]↗2019-10-23

▶

Bugzilla

CVE-2019-10406 jenkins: XSS vulnerability in Jenkins URL setting↗2019-10-22

▶