SB2019080732 - Stored cross-site scripting in Build Pipeline plugin for Jenkins

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2019080732

SB2019080732 - Stored cross-site scripting in Build Pipeline plugin for Jenkins

Published: August 7, 2019 Updated: October 4, 2019

Security Bulletin ID SB2019080732
Severity
Low
Patch available
NO
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 security vulnerability.


1) Stored cross-site scripting (CVE-ID: CVE-2019-10373)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to the affected software does not properly escape variables in views. A remote authenticated attacker able to edit the build pipeline description can inject arbitrary HTML and JavaScript in the plugin-provided web pages in Jenkins.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Note: This vulnerability is only exploitable on Jenkins releases older than 2.146 or 2.138.2 due to the security hardening implemented in those releases.


Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References