1764357 – (CVE-2019-10401) CVE-2019-10401 jenkins: Stored XSS vulnerability in expandable textbox form control

Bug 1764357 (CVE-2019-10401) - CVE-2019-10401 jenkins: Stored XSS vulnerability in expandable textbox form control

Summary: CVE-2019-10401 jenkins: Stored XSS vulnerability in expandable textbox form c...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2019-10401
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1764477 1764478 1764479 1764480 1764481
Blocks:	1764371
TreeView+	depends on / blocked

Reported:	2019-10-22 20:51 UTC by Pedro Sampaio
Modified:	2020-12-17 10:43 UTC (History)
CC List:	16 users (show)
Fixed In Version:	Jenkins 2.197, Jenkins LTS 2.176.4, Jenkins LTS 2.190.1
Clone Of:
Environment:
Last Closed:	2020-07-10 11:39:05 UTC
Embargoed:

Attachments	(Terms of Use)

Description Pedro Sampaio 2019-10-22 20:51:53 UTC

Jenkins form controls include an expandable textbox that can transform from a single-line text box to a multi-line text area. The implementation of this transformation interpreted the text content of the form field as HTML. This resulted in a cross-site scripting vulnerability exploitable by attackers able to control the contents of such f:expandableTextbox form controls.

References:

https://jenkins.io/security/advisory/2019-09-25/#SECURITY-1498

Comment 1 Sam Fowler 2019-10-23 06:44:42 UTC

Created jenkins tracking bugs for this issue:

Affects: fedora-all [bug 1764477]

Comment 3 Vibhav Bobade 2020-07-10 11:39:05 UTC

Hello team,

Jenkins is currently(at the time of it's comment) on 2.222.1. Fix required 2.196.
Hence closing this bug.

Regards,
Vibhav

Note You need to log in before you can comment on or make changes to this bug.