Bug 1747293 (CVE-2019-10383) - CVE-2019-10383 jenkins: stored cross-site scripting in update center web pages (SECURITY-1453)
Summary: CVE-2019-10383 jenkins: stored cross-site scripting in update center web page...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-10383
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1747294 1747302 1747303 1747304
Blocks: 1747299
TreeView+ depends on / blocked
 
Reported: 2019-08-30 04:31 UTC by Dhananjay Arunesh
Modified: 2019-11-29 05:28 UTC (History)
16 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-09-20 12:45:35 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:2789 None None None 2019-09-20 10:16:15 UTC
Red Hat Product Errata RHSA-2019:3144 None None None 2019-10-18 01:34:26 UTC

Description Dhananjay Arunesh 2019-08-30 04:31:27 UTC
A stored cross-site scripting vulnerability in Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed attackers with Overall/Administer permission to configure the update site URL to inject arbitrary HTML and JavaScript in update center web pages.

Reference:
http://www.openwall.com/lists/oss-security/2019/08/28/4

Comment 1 Dhananjay Arunesh 2019-08-30 04:31:47 UTC
Created jenkins tracking bugs for this issue:

Affects: fedora-all [bug 1747294]

Comment 2 Dhananjay Arunesh 2019-08-30 04:52:55 UTC
External References:

https://jenkins.io/security/advisory/2019-08-28/#SECURITY-1453

Comment 3 Sam Fowler 2019-08-30 05:15:31 UTC
"Any security advisory related updates to Jenkins core or the plugins we include in the OpenShift Jenkins master image will only occur in the v3.11 and v4.x branches of this repository."

https://github.com/openshift/jenkins/blob/master/README.md#jenkins-security-advisories-the-master-image-from-this-repository-and-the-oc-binary

Comment 4 Akram Ben Aissi 2019-09-05 08:22:19 UTC
Thank you for opening this bug with us.
We are updating Jenkins to 2.176.3 based on https://bugzilla.redhat.com/show_bug.cgi?id=1747303
As you can see https://github.com/openshift/jenkins/pull/917 is merged into the 3.11 branch, you can expect the release for this byt End of Next week.

Comment 5 errata-xmlrpc 2019-09-20 10:16:13 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.1

Via RHSA-2019:2789 https://access.redhat.com/errata/RHSA-2019:2789

Comment 6 Product Security DevOps Team 2019-09-20 12:45:35 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-10383

Comment 7 errata-xmlrpc 2019-10-18 01:34:23 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2019:3144 https://access.redhat.com/errata/RHSA-2019:3144


Note You need to log in before you can comment on or make changes to this bug.