Bug 1764387 (CVE-2019-10432) - CVE-2019-10432 jenkins-2-plugins: Stored XSS vulnerability in HTML Publisher Plugin
Summary: CVE-2019-10432 jenkins-2-plugins: Stored XSS vulnerability in HTML Publisher ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-10432
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1764462 1764463 1764464 1764467
Blocks: 1764392
TreeView+ depends on / blocked
 
Reported: 2019-10-22 23:43 UTC by Pedro Sampaio
Modified: 2020-03-18 04:55 UTC (History)
10 users (show)

Fixed In Version: htmlpublisher 1.21
Clone Of:
Environment:
Last Closed: 2019-12-11 13:24:05 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:4055 0 None None None 2019-12-16 13:53:40 UTC
Red Hat Product Errata RHSA-2019:4089 0 None None None 2019-12-17 02:17:40 UTC
Red Hat Product Errata RHSA-2019:4097 0 None None None 2019-12-11 08:37:09 UTC

Description Pedro Sampaio 2019-10-22 23:43:27 UTC 
HTML Publisher Plugin did not escape the project or build display name shown in the frame HTML page. This resulted in a cross-site scripting vulnerability exploitable by attackers able to control the project or build display name, typically users with Job/Configure or Build/Update permission.

References:

https://jenkins.io/security/advisory/2019-10-01/#SECURITY-1590
Comment 3 errata-xmlrpc 2019-12-11 08:37:08 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.2

Via RHSA-2019:4097 https://access.redhat.com/errata/RHSA-2019:4097
Comment 4 Product Security DevOps Team 2019-12-11 13:24:05 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-10432
Comment 5 errata-xmlrpc 2019-12-16 13:53:37 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2019:4055 https://access.redhat.com/errata/RHSA-2019:4055
Comment 6 errata-xmlrpc 2019-12-17 02:17:39 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.1

Via RHSA-2019:4089 https://access.redhat.com/errata/RHSA-2019:4089
Note You need to log in before you can comment on or make changes to this bug.