Miggo Logo

CVE-2018-1000413: Stored XSS vulnerability in Config File Provider Plugin

5.4

CVSS Score
3.0

Basic Information

EPSS Score
0.29619%
Published
5/14/2022
Updated
12/15/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:config-file-providermaven<= 3.13.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper output encoding in the Jelly templates. The commit 5c1df55 shows that prior to the fix, these templates used direct variable interpolation (e.g., ${t.name}) instead of the escaping-aware <j:out> tag. This allowed unescaped rendering of user-controlled configuration metadata. The advisory explicitly identifies these files as the source of the XSS vulnerability, and the patch corrected the escaping mechanism.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *ross-sit* s*riptin* vuln*r**ility *xists in J*nkins *on*i* *il* Provi**r Plu*in *.* *n* **rli*r in *on*i**il*s.j*lly, provi**rlist.j*lly t**t *llows us*rs wit* t** **ility to *on*i*ur* *on*i*ur*tion *il*s to ins*rt *r*itr*ry *TML into som* p***s i

Reasoning

T** vuln*r**ility st*ms *rom improp*r output *n*o*in* in t** J*lly t*mpl*t*s. T** *ommit ******* s*ows t**t prior to t** *ix, t**s* t*mpl*t*s us** *ir**t v*ri**l* int*rpol*tion (*.*., `${t.n*m*}`) inst*** o* t** *s**pin*-*w*r* `<j:out>` t**. T*is *ll