CVE-2019-10374

Name of the Vulnerable Software and Affected Versions Jenkins PegDown Formatter Plugin versions 1.3 and earlier

Description A stored cross-site scripting issue allows attackers who can edit descriptions and other fields to insert links with the javascript: scheme into the Jenkins UI. The PegDown Formatter Plugin uses the PegDown library to render Markdown formatted descriptions and advertises disabling of HTML to prevent cross-site scripting, but it does not prevent the use of the javascript: scheme in URLs for links. This results in an exploitable issue by users able to configure entities with descriptions that are rendered by the configured markup formatter.

Recommendations For Jenkins PegDown Formatter Plugin versions 1.3 and earlier, as a temporary workaround, consider disabling the plugin until a patch is available. Restrict access to the plugin's functionality to minimize the risk of exploitation. Avoid using the plugin to render descriptions or similar properties that could be used to insert malicious links. At the moment, there is no information about a newer version that contains a fix for this issue.