ASA-2019-00107 – Jenkins: Cross-Site Scripting (XSS) vulnerability in Warnings Next Generation Plugin


Allele Security Alert

ASA-2019-00107

Identifier(s)

ASA-2019-00107, SECURITY-1271, CVE-2019-1003023

Title

Cross-Site Scripting (XSS) vulnerability in Warnings Next Generation Plugin

Vendor(s)

Jenkins project

Product(s)

Jenkins Warnings Next Generation Plugin

Affected version(s)

Warnings Next Generation Plugin up to and including 1.0.1

Fixed version(s)

Warnings Next Generation Plugin version 2.0.0

Proof of concept

Unknown

Description

Warnings Next Generation Plugin did not properly escape HTML content in warnings displayed on the Jenkins UI, resulting in a cross-site scripting vulnerability exploitable by users able to control warnings parser input.

Technical details

Unknown

Credits

Kalle Niemitalo (Procomp Solutions Oy)

Reference(s)

Jenkins Security Advisory 2019-01-28
https://jenkins.io/security/advisory/2019-01-28

Jenkins Plugins
https://plugins.jenkins.io/warnings-ng

CVE-2019-1003023
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003023

CVE-2019-1003023
https://nvd.nist.gov/vuln/detail/CVE-2019-1003023

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: March 6, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.