PT-2019-11312 · Jenkins · Jenkins Config File Provider Plugin+1
Adam Willard
·
Published
2019-02-06
·
Updated
2023-10-25
·
CVE-2019-1003014
CVSS v3.1
4.8
Medium
| Vector | AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions:
Jenkins Config File Provider Plugin versions 3.4.1 and earlier
Description:
A cross-site scripting issue exists that allows attackers with permission to define shared configuration files to execute arbitrary JavaScript when a user attempts to delete the shared configuration file. This occurs due to a vulnerability in the src/main/resources/lib/configfiles/configfiles.jelly file.
Recommendations:
For Jenkins Config File Provider Plugin versions 3.4.1 and earlier, consider restricting access to the configuration file deletion functionality until a fix is available. As a temporary workaround, avoid using the shared configuration file deletion feature to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Config File Provider Plugin