PT-2019-11797 · Cloudbees+1 · Jenkins
Wadeck Follonier
·
Published
2019-09-25
·
Updated
2023-11-02
·
CVE-2019-10403
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins versions 2.196 and earlier
Jenkins LTS versions 2.176.3 and earlier
Description
The issue results from the failure to escape the SCM tag name on the tooltip for SCM tag actions, leading to a stored XSS vulnerability. This can be exploited by users who have control over SCM tag names for these actions.
Recommendations
For Jenkins versions 2.196 and earlier, update to a version that includes the fix for this issue.
For Jenkins LTS versions 2.176.3 and earlier, update to a version that includes the fix for this issue.
As a temporary workaround, consider restricting access to SCM tag actions to minimize the risk of exploitation.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins