Описание
An cross-site scripting vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/Export.java, blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/ExportConfig.java, blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/JSONDataWriter.java, blueocean-rest-impl/src/main/java/io/jenkins/blueocean/service/embedded/UserStatePreloader.java, blueocean-web/src/main/resources/io/jenkins/blueocean/PageStatePreloadDecorator/header.jelly that allows attackers with permission to edit a user's description in Jenkins to have Blue Ocean render arbitrary HTML when using it as that user.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat OpenShift Container Platform 3.10 | jenkins-plugin-blueocean | Will not fix | ||
| Red Hat OpenShift Container Platform 3.4 | jenkins-plugin-blueocean | Will not fix | ||
| Red Hat OpenShift Container Platform 3.5 | jenkins-plugin-blueocean | Will not fix | ||
| Red Hat OpenShift Container Platform 3.6 | jenkins-plugin-blueocean | Will not fix | ||
| Red Hat OpenShift Container Platform 3.7 | jenkins-plugin-blueocean | Will not fix | ||
| Red Hat OpenShift Container Platform 3.9 | jenkins-plugin-blueocean | Will not fix | ||
| Red Hat OpenShift Container Platform 4 | jenkins-2-plugins | Affected | ||
| Red Hat OpenShift Container Platform 3.11 | atomic-enterprise-service-catalog | Fixed | RHBA-2019:0326 | 20.02.2019 |
| Red Hat OpenShift Container Platform 3.11 | atomic-openshift | Fixed | RHBA-2019:0326 | 20.02.2019 |
| Red Hat OpenShift Container Platform 3.11 | atomic-openshift-cluster-autoscaler | Fixed | RHBA-2019:0326 | 20.02.2019 |
Показывать по
Дополнительная информация
Статус:
5.4 Medium
CVSS3
Связанные уязвимости
An cross-site scripting vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/Export.java, blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/ExportConfig.java, blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/JSONDataWriter.java, blueocean-rest-impl/src/main/java/io/jenkins/blueocean/service/embedded/UserStatePreloader.java, blueocean-web/src/main/resources/io/jenkins/blueocean/PageStatePreloadDecorator/header.jelly that allows attackers with permission to edit a user's description in Jenkins to have Blue Ocean render arbitrary HTML when using it as that user.
Cross-site Scripting in Jenkins Blue Ocean Plugin
5.4 Medium
CVSS3