CVE-2019-10395

Name of the Vulnerable Software and Affected Versions Jenkins versions prior to 2.146 Jenkins Build Environment Plugin versions 1.6 and earlier

Description The issue is related to a cross-site scripting vulnerability. It occurs because the Jenkins Build Environment Plugin did not properly escape variables shown on its views. This vulnerability can be exploited by users who have the ability to change various job or build properties, typically those with Job/Configure or Job/Build permission. The vulnerability allows attackers to control the values of build environment variables.

Recommendations For Jenkins versions prior to 2.146, update to version 2.146 or newer to resolve the issue. For Jenkins Build Environment Plugin versions 1.6 and earlier, update to a version that escapes all variables displayed in its views to mitigate the risk of cross-site scripting exploitation. As a temporary workaround, consider restricting access to the build environment variables and views to minimize the risk of exploitation until a patch is applied.