CVE-2019-10406 – org.jenkins-ci.main:jenkins-core

Package

Manager: maven
Name: org.jenkins-ci.main:jenkins-core
Vulnerable Version: >=0 <2.176.4 || >=2.177 <2.197

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00305 pctl0.53225

Details

Improper Neutralization of Input During Web Page Generation in Jenkins Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not restrict or filter values set as Jenkins URL in the global configuration, resulting in a stored XSS vulnerability exploitable by attackers with Overall/Administer permission.

Metadata

Created: 2022-05-24T22:00:44Z
Modified: 2022-06-28T16:13:15Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-hw55-f8wc-82m6/GHSA-hw55-f8wc-82m6.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-hw55-f8wc-82m6
Finding: F425
Auto approve: 1