CVE-2019-10335

Description

The plugin adds metadata displayed on build pages during its operations. Any user content was not escaped, resulting in a cross-site scripting vulnerability allowing users with Job/Configure permission, or attackers controlling API responses received from ElectricFlow to render arbitrary HTML and JavaScript on Jenkins build pages. Build metadata is now filtered through a HTML formatter that only allows showing basic HTML, neutralizing any unsafe data. Additionally, all builds executed after the security update is applied will now properly escape content received from ElectricFlow.

How to fix CVE-2019-10335

To remediate CVE-2019-10335, upgrade the affected package to a fixed version below.

• —upgrade to 1.1.7 or later

Is CVE-2019-10335 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 1.1.7

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-10335
• WEBgithub.com/jenkinsci/electricflow-plugin/commit/1a90ee7727f8c6925df3e410837ddf6be28cce53
• WEBjenkins.io/security/advisory/2019-06-11/#SECURITY-1412
• WEBweb.archive.org/web/20200227033720/http://www.securityfocus.com/bid/108747