CVE-2019-1003050

Name
CVE-2019-1003050
Description
The f:validateButton form control for the Jenkins UI did not properly escape job URLs in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, resulting in a cross-site scripting (XSS) vulnerability exploitable by users with the ability to control job names.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Vendor Advisory https://jenkins.io/security/advisory/2019-04-10/#SECURITY-1327
BID http://www.securityfocus.com/bid/107889
REDHAT https://access.redhat.com/errata/RHBA-2019:1605

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:* jenkins >= None <= 2.164.1
cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:* jenkins >= None <= 2.171

Vulnerable and fixed packages

Source package Branch Version Maintainer Status