Allele Security Alert
ASA-2019-00615
Identifier(s)
ASA-2019-00615, CVE-2019-10475, SECURITY-1490
Title
Reflected Cross-Site Scripting (XSS)
Vendor(s)
Maddy Goss
Yoann Dubreuil
Rolf Rother
Product(s)
Jenkins build-metrics Plugin
Affected version(s)
Jenkins build-metrics Plugin up to and including 1.3
Fixed version(s)
Unknown
Proof of concept
Unknown
Description
Jenkins build-metrics Plugin does not properly escape the label query parameter, resulting in a Reflected Cross-Site Scripting (XSS) vulnerability.
Technical details
Unknown
Credits
Viktor Gazdag (NCC Group)
Reference(s)
Jenkins Security Advisory 2019-10-23
https://jenkins.io/security/advisory/2019-10-23/#SECURITY-1490
Jenkins security advisory
https://groups.google.com/d/msg/jenkinsci-advisories/KCv6eDsiV3Y/GNr0aDC3AQAJ
oss-security – Multiple vulnerabilities in Jenkins plugins
https://www.openwall.com/lists/oss-security/2019/10/23/2
Jenkins Plugins
https://plugins.jenkins.io/build-metrics
CVE-2019-10475
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10475
CVE-2019-10475
https://nvd.nist.gov/vuln/detail/CVE-2019-10475
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: December 8, 2019