Allele Security Alert
ASA-2019-00096
Identifier(s)
ASA-2019-00096, SECURITY-1204, CVE-2019-1003013
Title
Cross-Site Scripting (XSS) vulnerability via user description in Blue Ocean
Vendor(s)
CloudBees, Inc
Product(s)
Jenkins
Affected version(s)
Blue Ocean Plugin up to and including 1.10.1
Fixed version(s)
Blue Ocean Plugin version 1.10.2
Proof of concept
Unknown
Description
Blue Ocean did not properly escape HTML/JavaScript content set on the current user’s description field, resulting in a cross-site scripting vulnerability exploitable by administrators and other people accessing Jenkins with the same user account.
Blue Ocean now properly escapes HTML/JavaScript content set on the current user’s description field.
Technical details
Unknown
Credits
Man Shum
Reference(s)
Jenkins Security Advisory 2019-01-28
https://jenkins.io/security/advisory/2019-01-28
Jenkins Plugins
https://plugins.jenkins.io/blueocean
CVE-2019-1003013
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003013
CVE-2019-1003013
https://nvd.nist.gov/vuln/detail/CVE-2019-1003013
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 24, 2019