Description
An cross-site scripting vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/Export.java, blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/ExportConfig.java, blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/JSONDataWriter.java, blueocean-rest-impl/src/main/java/io/jenkins/blueocean/service/embedded/UserStatePreloader.java, blueocean-web/src/main/resources/io/jenkins/blueocean/PageStatePreloadDecorator/header.jelly that allows attackers with permission to edit a user's description in Jenkins to have Blue Ocean render arbitrary HTML when using it as that user.
Analysis
No analysis available yet.
Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).
| Vendor | Product | Default status | Versions | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Jenkins project | Jenkins Blue Ocean Plugins | affected |
|
Configuration 1 [-]
|
Configuration 2 [-]
|
| Package | CPE | Advisory | Released Date |
|---|---|---|---|
| Red Hat OpenShift Container Platform 3.11 | |||
| atomic-enterprise-service-catalog-1:3.11.82-1.git.1673.133961e.el7 | cpe:/a:redhat:openshift:3.11::el7 | RHBA-2019:0326 | 2019-02-20T00:00:00Z |
| atomic-openshift-0:3.11.82-1.git.0.08bc31b.el7 | cpe:/a:redhat:openshift:3.11::el7 | RHBA-2019:0326 | 2019-02-20T00:00:00Z |
| atomic-openshift-cluster-autoscaler-0:3.11.82-1.git.0.efb6af0.el7 | cpe:/a:redhat:openshift:3.11::el7 | RHBA-2019:0326 | 2019-02-20T00:00:00Z |
| atomic-openshift-descheduler-0:3.11.82-1.git.300.89765c9.el7 | cpe:/a:redhat:openshift:3.11::el7 | RHBA-2019:0326 | 2019-02-20T00:00:00Z |
| atomic-openshift-dockerregistry-0:3.11.82-1.git.452.0ce6383.el7 | cpe:/a:redhat:openshift:3.11::el7 | RHBA-2019:0326 | 2019-02-20T00:00:00Z |
| atomic-openshift-metrics-server-0:3.11.82-1.git.52.2fdca3f.el7 | cpe:/a:redhat:openshift:3.11::el7 | RHBA-2019:0326 | 2019-02-20T00:00:00Z |
| atomic-openshift-node-problem-detector-0:3.11.82-1.git.254.a448936.el7 | cpe:/a:redhat:openshift:3.11::el7 | RHBA-2019:0326 | 2019-02-20T00:00:00Z |
| atomic-openshift-service-idler-0:3.11.82-1.git.14.e353758.el7 | cpe:/a:redhat:openshift:3.11::el7 | RHBA-2019:0326 | 2019-02-20T00:00:00Z |
| atomic-openshift-web-console-0:3.11.82-1.git.355.5e8b1d9.el7 | cpe:/a:redhat:openshift:3.11::el7 | RHBA-2019:0326 | 2019-02-20T00:00:00Z |
| golang-github-openshift-oauth-proxy-0:3.11.82-1.git.425.7cac034.el7 | cpe:/a:redhat:openshift:3.11::el7 | RHBA-2019:0326 | 2019-02-20T00:00:00Z |
| golang-github-prometheus-alertmanager-0:3.11.82-1.git.0.3bf41ce.el7 | cpe:/a:redhat:openshift:3.11::el7 | RHBA-2019:0326 | 2019-02-20T00:00:00Z |
| golang-github-prometheus-node_exporter-0:3.11.82-1.git.1063.48444e8.el7 | cpe:/a:redhat:openshift:3.11::el7 | RHBA-2019:0326 | 2019-02-20T00:00:00Z |
| golang-github-prometheus-prometheus-0:3.11.82-1.git.5027.9d24833.el7 | cpe:/a:redhat:openshift:3.11::el7 | RHBA-2019:0326 | 2019-02-20T00:00:00Z |
| haproxy-0:1.8.17-3.el7 | cpe:/a:redhat:openshift:3.11::el7 | RHBA-2019:0326 | 2019-02-20T00:00:00Z |
| jenkins-0:2.150.2.1549032159-1.el7 | cpe:/a:redhat:openshift:3.11::el7 | RHBA-2019:0326 | 2019-02-20T00:00:00Z |
| jenkins-2-plugins-0:3.11.1549642489-1.el7 | cpe:/a:redhat:openshift:3.11::el7 | RHBA-2019:0326 | 2019-02-20T00:00:00Z |
| openshift-ansible-0:3.11.82-3.git.0.9718d0a.el7 | cpe:/a:redhat:openshift:3.11::el7 | RHBA-2019:0326 | 2019-02-20T00:00:00Z |
| openshift-enterprise-autoheal-0:3.11.82-1.git.219.0b5aff4.el7 | cpe:/a:redhat:openshift:3.11::el7 | RHBA-2019:0326 | 2019-02-20T00:00:00Z |
| openshift-enterprise-cluster-capacity-0:3.11.82-1.git.380.cf11c51.el7 | cpe:/a:redhat:openshift:3.11::el7 | RHBA-2019:0326 | 2019-02-20T00:00:00Z |
No data available yet.
Remediation
No remediation available yet.
Tracking
Sign in to view the affected projects.
Advisories
| Source | ID | Title |
|---|---|---|
 EUVD |
EUVD-2022-2986 | An cross-site scripting vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/Export.java, blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/ExportConfig.java, blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/JSONDataWriter.java, blueocean-rest-impl/src/main/java/io/jenkins/blueocean/service/embedded/UserStatePreloader.java, blueocean-web/src/main/resources/io/jenkins/blueocean/PageStatePreloadDecorator/header.jelly that allows attackers with permission to edit a user's description in Jenkins to have Blue Ocean render arbitrary HTML when using it as that user. |
 Github GHSA |
GHSA-7fjr-5hph-c2mh | Cross-site Scripting in Jenkins Blue Ocean Plugin |
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: jenkins
Published:
Updated: 2024-08-05T03:00:19.473Z
Reserved: 2019-02-06T00:00:00.000Z
Link: CVE-2019-1003013
Vulnrichment
No data.
NVD
Status : Modified
Published: 2019-02-06T16:29:00.703
Modified: 2024-11-21T04:17:44.413
Link: CVE-2019-1003013
Redhat
OpenCVE Enrichment
No data.
Weaknesses