CVE-2019-10396 — Jenkins Dashboard View Plugin vulnerable to Cross-site Scripting

Description

Dashboard View Plugin did not escape the build description on the Latest Builds View. This resulted in a cross-site scripting vulnerability exploitable by attackers able to control the description of builds shown on that view. Dashboard View Plugin now applies the configured markup formatter to the build description, rendering it as it appears elsewhere in Jenkins.

How to fix CVE-2019-10396

To remediate CVE-2019-10396, upgrade the affected package to a fixed version below.

—upgrade to 2.12 or later

Is CVE-2019-10396 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.12

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-10396
WEBgithub.com/jenkinsci/dashboard-view-plugin/commit/115238da2a8899358b32ee14e7076df23747d6c9
WEBjenkins.io/security/advisory/2019-09-12/#SECURITY-1489
WEBwww.openwall.com/lists/oss-security/2019/09/12/2