Bug 1694538 (CVE-2019-1003042)

Summary:	CVE-2019-1003042 jenkins-plugin-lockable-resources: XSS vulnerability in Lockable Resources Plugin (SECURITY-1361)
Product:	[Other] Security Response	Reporter:	Sam Fowler <sfowler>
Component:	vulnerability	Assignee:	Red Hat Product Security <security-response-team>
Status:	CLOSED ERRATA	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	unspecified	CC:	abenaiss, ahardin, aos-bugs, bleanhar, bmontgom, ccoleman, dedgar, eparis, jburrell, jgoulding, jokerman, mchappel, mmccomas, nstielau, obulatov, pbhattac, sponnaga, vbobade, wzheng
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	jenkins-plugin-lockable-resources 2.5	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2019-06-10 22:59:02 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	1694540, 1694541
Bug Blocks:	1694534

Description Sam Fowler 2019-04-01 04:13:26 UTC

The Lockable Resources Jenkins Plugin did not properly escape resource names in generated JavaScript code, thus leading to a cross-site scripting (XSS) vulnerability.


External Reference:

https://jenkins.io/security/advisory/2019-03-25/#SECURITY-1361

Comment 3 Sam Fowler 2019-04-01 05:22:22 UTC

"Any security advisory related updates to Jenkins core or the plugins we include in the OpenShift Jenkins master image will only occur in the v3.11 and v4.x branches of this repository."

https://github.com/openshift/jenkins/blob/master/README.md#jenkins-security-advisories-the-master-image-from-this-repository-and-the-oc-binary

Comment 4 errata-xmlrpc 2019-06-10 16:58:26 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2019:1423 https://access.redhat.com/errata/RHSA-2019:1423