CVE-2019-10395 – org.jenkins-ci.plugins:build-environment

Package

Manager: maven
Name: org.jenkins-ci.plugins:build-environment
Vulnerable Version: >=0 <1.7

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00121 pctl0.31931

Details

Jenkins Build Environment Plugin vulnerable to Cross-site Scripting Build Environment Plugin did not escape values of environment variables shown on its views. This resulted in a cross-site scripting vulnerability exploitable by attackers able to control the values of build environment variables, typically users with Job/Configure or Job/Build permission. Jenkins applies the missing escaping by default since 2.146 and LTS 2.138.2, so newer Jenkins releases are not affected by this vulnerability. Build Environment Plugin now escapes all variables displayed in its views.

Metadata

Created: 2022-05-24T16:55:59Z
Modified: 2023-03-02T16:41:37Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-88qj-3q6h-8m5q/GHSA-88qj-3q6h-8m5q.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-88qj-3q6h-8m5q
Finding: F425
Auto approve: 1