CVE-2019-1003013

Опубликовано: 06 фев. 2019

Источник: nvd

CVSS3: 5.4

CVSS2: 3.5

EPSS Низкий

Описание

An cross-site scripting vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/Export.java, blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/ExportConfig.java, blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/JSONDataWriter.java, blueocean-rest-impl/src/main/java/io/jenkins/blueocean/service/embedded/UserStatePreloader.java, blueocean-web/src/main/resources/io/jenkins/blueocean/PageStatePreloadDecorator/header.jelly that allows attackers with permission to edit a user's description in Jenkins to have Blue Ocean render arbitrary HTML when using it as that user.

Ссылки

https://access.redhat.com/errata/RHBA-2019:0326
Third Party Advisory
https://access.redhat.com/errata/RHBA-2019:0327
Third Party Advisory
https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1204
Vendor Advisory
https://access.redhat.com/errata/RHBA-2019:0326
Third Party Advisory
https://access.redhat.com/errata/RHBA-2019:0327
Third Party Advisory
https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1204
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:jenkins:blue_ocean:*:*:*:*:*:jenkins:*:*

Версия до 1.10.1 (включая)

Конфигурация 2

cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*

EPSS

Процентиль: 19%

0.00061

Низкий

5.4 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-79

Связанные уязвимости

CVE-2019-1003013

CVSS3: 5.4

redhat

около 7 лет назад

GHSA-7fjr-5hph-c2mh

CVSS3: 5.4

github

больше 3 лет назад

Cross-site Scripting in Jenkins Blue Ocean Plugin

EPSS

Процентиль: 19%

0.00061

Низкий

5.4 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-79