CVE-2019-1003050

Aliases:GHSA-qpg9-83fv-x9ch
Advisory lineage Upstream: 0 Downstream: 1
Downstream
RHBA-2019:1605
Modified
Published: 10 Apr 2019, 20:12
Last modified:05 Aug 2024, 03:07

Vulnerability Summary

Overall Risk (default)
low
22/100
CVSS Score
5.4 MEDIUM
v3.1 (nvd)
EPSS Score
0.47% LOW
0% probability -0.50%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

10 Apr 2019, 20:12
Published
Vulnerability first disclosed
05 Aug 2024, 03:07
Last Modified
Vulnerability information updated

Description

The f:validateButton form control for the Jenkins UI did not properly escape job URLs in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, resulting in a cross-site scripting (XSS) vulnerability exploitable by users with the ability to control job names.

CVSS Metrics

  • v3.1MEDIUMScore: 5.4CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
  • v2.0LOWScore: 3.5AV:N/AC:M/Au:S/C:N/I:P/A:N

EPSS Trends

Current EPSS score: 0.47% Percentile: 65%

Techniques & Countermeasures

  • CWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

    The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Affected Systems

  • jenkins projectjenkins

    2.171 and earlier, LTS 2.164.1 and earlier

  • UnknownJenkins

    ≤ 2.164.1 | ≤ 2.171

  • org.jenkins-ci.mainjenkins-core

    < 2.164.2 | ≥ 2.165, < 2.172

  • oraclecommunications_cloud_native_core_automated_test_suite

    1.9.0

  • redhatopenshift_container_platform

    3.11

References (8)