ASA-2019-00615 – Jenkins build-metrics Plugin: Reflected Cross-Site Scripting (XSS)


Allele Security Alert

ASA-2019-00615

Identifier(s)

ASA-2019-00615, CVE-2019-10475, SECURITY-1490

Title

Reflected Cross-Site Scripting (XSS)

Vendor(s)

Maddy Goss

Yoann Dubreuil

Rolf Rother

Product(s)

Jenkins build-metrics Plugin

Affected version(s)

Jenkins build-metrics Plugin up to and including 1.3

Fixed version(s)

Unknown

Proof of concept

Unknown

Description

Jenkins build-metrics Plugin does not properly escape the label query parameter, resulting in a Reflected Cross-Site Scripting (XSS) vulnerability.

Technical details

Unknown

Credits

Viktor Gazdag (NCC Group)

Reference(s)

Jenkins Security Advisory 2019-10-23
https://jenkins.io/security/advisory/2019-10-23/#SECURITY-1490

Jenkins security advisory
https://groups.google.com/d/msg/jenkinsci-advisories/KCv6eDsiV3Y/GNr0aDC3AQAJ

oss-security – Multiple vulnerabilities in Jenkins plugins
https://www.openwall.com/lists/oss-security/2019/10/23/2

Jenkins Plugins
https://plugins.jenkins.io/build-metrics

CVE-2019-10475
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10475

CVE-2019-10475
https://nvd.nist.gov/vuln/detail/CVE-2019-10475

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: December 8, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.