ASA-2019-00096 – Jenkins: Cross-Site Scripting (XSS) vulnerability via user description in Blue Ocean

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00096

Identifier(s)

ASA-2019-00096, SECURITY-1204, CVE-2019-1003013

Title

Cross-Site Scripting (XSS) vulnerability via user description in Blue Ocean

Vendor(s)

CloudBees, Inc

Product(s)

Jenkins

Affected version(s)

Blue Ocean Plugin up to and including 1.10.1

Fixed version(s)

Blue Ocean Plugin version 1.10.2

Proof of concept

Unknown

Description

Blue Ocean did not properly escape HTML/JavaScript content set on the current user’s description field, resulting in a cross-site scripting vulnerability exploitable by administrators and other people accessing Jenkins with the same user account.

Blue Ocean now properly escapes HTML/JavaScript content set on the current user’s description field.

Technical details

Unknown

Credits

Man Shum

Reference(s)

Jenkins Security Advisory 2019-01-28
https://jenkins.io/security/advisory/2019-01-28

Jenkins Plugins
https://plugins.jenkins.io/blueocean

CVE-2019-1003013
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003013

CVE-2019-1003013
https://nvd.nist.gov/vuln/detail/CVE-2019-1003013

 

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: February 24, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.