Jenkins HTML Publisher Plugin 1.20 and earlier did not escape the project and build display names in the HTML report frame, resulting in a cross-site scripting vulnerability exploitable by users able to change those.
References
Link | Resource |
---|---|
http://www.openwall.com/lists/oss-security/2019/10/01/2 | Mailing List Third Party Advisory |
https://access.redhat.com/errata/RHSA-2019:4055 | |
https://access.redhat.com/errata/RHSA-2019:4089 | |
https://access.redhat.com/errata/RHSA-2019:4097 | |
https://jenkins.io/security/advisory/2019-10-01/#SECURITY-1590 | Vendor Advisory |
Configurations
History
No history.
Information
Published : 2019-10-01 14:15
Updated : 2023-12-10 13:13
NVD link : CVE-2019-10432
Mitre link : CVE-2019-10432
CVE.ORG link : CVE-2019-10432
JSON object : View
Products Affected
jenkins
- html_publisher
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')