Bug 1671324 (CVE-2019-1003014) - CVE-2019-1003014 jenkins-plugin-config-file-provider: Stored XSS vulnerability in Config File Provider Plugin (SECURITY-1253)
Summary: CVE-2019-1003014 jenkins-plugin-config-file-provider: Stored XSS vulnerabilit...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-1003014
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1671469 1671470
Blocks: 1670285
TreeView+ depends on / blocked
 
Reported: 2019-01-31 12:04 UTC by Paul Harvey
Modified: 2021-10-27 03:22 UTC (History)
18 users (show)

Fixed In Version: jenkins-plugin-config-file-provider 3.5
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-27 03:22:58 UTC
Embargoed:

Attachments (Terms of Use)

Description Paul Harvey 2019-01-31 12:04:15 UTC 
Config File Provider Plugin up to and including version 3.4.1 improperly handled script names in its JavaScript-based UI, resulting in a stored cross-site scripting (XSS) vulnerability.

Upstream patches:

https://github.com/jenkinsci/config-file-provider-plugin/commit/64fba993c897ff52a9c6c38c6c41806f2e8cc73f
Comment 1 Paul Harvey 2019-01-31 12:04:18 UTC 
External References:

https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1253
Comment 2 Paul Harvey 2019-02-04 06:29:39 UTC 
openshift-enterprise 3.6-3.11 inclusive: affected

Once openshift3/jenkins-1-rhel7, openshift3/jenkins-2-rhel7, openshift3/jenkins-slave-base-rhel7 container images have been released with these fixes, users of all versions of openshift-enterprise-3.2+ are encouraged to update these container images in their environment.
Note You need to log in before you can comment on or make changes to this bug.