CVE-2019-1003013

Name of the Vulnerable Software and Affected Versions: Jenkins Blue Ocean Plugins versions 1.10.1 and earlier

Description: A cross-site scripting issue exists that allows attackers with permission to edit a user's description in Jenkins to have Blue Ocean render arbitrary HTML when using it as that user. The vulnerability is found in several files, including Export.java, ExportConfig.java, JSONDataWriter.java, UserStatePreloader.java, and header.jelly.

Recommendations: For Jenkins Blue Ocean Plugins versions 1.10.1 and earlier, consider disabling the editing of user descriptions in Jenkins until a patch is available. Restrict access to the Blue Ocean plugin to minimize the risk of exploitation. Avoid using the Blue Ocean plugin with users who have permission to edit descriptions until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.