CVE-2019-1003013

Description

A cross-site scripting vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier that allows attackers with permission to edit a user's description in Jenkins to have Blue Ocean render arbitrary HTML when using it as that user. This vulnerability is found in: - blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/Export.java - blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/ExportConfig.java - blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/JSONDataWriter.java - blueocean-rest-impl/src/main/java/io/jenkins/blueocean/service/embedded/UserStatePreloader.java - blueocean-web/src/main/resources/io/jenkins/blueocean/PageStatePreloadDecorator/header.jelly

How to fix CVE-2019-1003013

To remediate CVE-2019-1003013, upgrade the affected package to a fixed version below.

• —upgrade to 1.10.2 or later

Is CVE-2019-1003013 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 1.10.2

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-1003013
• WEBaccess.redhat.com/errata/RHBA-2019:0326
• WEBaccess.redhat.com/errata/RHBA-2019:0327
• WEBgithub.com/jenkinsci/blueocean-plugin/commit/62775e78532b756826bb237775b64a5052624b57