CVE-2019-10373 – org.jenkins-ci.plugins:build-pipeline-plugin

Package

Manager: maven
Name: org.jenkins-ci.plugins:build-pipeline-plugin
Vulnerable Version: >=0 <=1.5.8

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00121 pctl0.31931

Details

Jenkins Build Pipeline Plugin vulnerable to Cross-site Scripting Build Pipeline Plugin does not properly escape variables in views, resulting in a stored cross-site scripting vulnerability exploitable by users with permission to configure build pipelines. This vulnerability is only exploitable on Jenkins releases older than 2.146 or 2.138.2 due to the security hardening implemented in those releases. As of publication of this advisory, there is no fix.

Metadata

Created: 2022-05-24T16:52:46Z
Modified: 2023-03-03T23:14:54Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-cx5r-p4vj-2mqh/GHSA-cx5r-p4vj-2mqh.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-cx5r-p4vj-2mqh
Finding: F425
Auto approve: 1