CVE-2019-10373

Name of the Vulnerable Software and Affected Versions Jenkins Build Pipeline Plugin versions 1.5.8 and earlier

Description A stored cross-site scripting issue allows attackers who can edit the build pipeline description to inject arbitrary HTML and JavaScript into the plugin-provided web pages in Jenkins. The issue arises because the Build Pipeline Plugin does not properly escape variables in views. This vulnerability is only exploitable on Jenkins releases older than 2.146 or 2.138.2 due to security hardening implemented in those releases.

Recommendations For Jenkins Build Pipeline Plugin versions 1.5.8 and earlier, as a temporary workaround, consider restricting access to configure build pipelines to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.