Bug 1764357 (CVE-2019-10401) - CVE-2019-10401 jenkins: Stored XSS vulnerability in expandable textbox form control
Summary: CVE-2019-10401 jenkins: Stored XSS vulnerability in expandable textbox form c...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2019-10401
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1764478 1764477 1764479 1764480 1764481
Blocks: 1764371
TreeView+ depends on / blocked
 
Reported: 2019-10-22 20:51 UTC by Pedro Sampaio
Modified: 2020-07-16 22:03 UTC (History)
16 users (show)

Fixed In Version: Jenkins 2.197, Jenkins LTS 2.176.4, Jenkins LTS 2.190.1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-07-10 11:39:05 UTC


Attachments (Terms of Use)

Description Pedro Sampaio 2019-10-22 20:51:53 UTC
Jenkins form controls include an expandable textbox that can transform from a single-line text box to a multi-line text area. The implementation of this transformation interpreted the text content of the form field as HTML. This resulted in a cross-site scripting vulnerability exploitable by attackers able to control the contents of such f:expandableTextbox form controls.

References:

https://jenkins.io/security/advisory/2019-09-25/#SECURITY-1498

Comment 1 Sam Fowler 2019-10-23 06:44:42 UTC
Created jenkins tracking bugs for this issue:

Affects: fedora-all [bug 1764477]

Comment 3 Vibhav Bobade 2020-07-10 11:39:05 UTC
Hello team,

Jenkins is currently(at the time of it's comment) on 2.222.1. Fix required 2.196.
Hence closing this bug.

Regards,
Vibhav


Note You need to log in before you can comment on or make changes to this bug.