5.4

CVSS Score

Basic Information

CVE ID

CVE-2019-1003013

GHSA ID

GHSA-7fjr-5hph-c2mh

EPSS Score

CWE

CWE-79

Published

5/13/2022

Updated

12/7/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-1003013

CVE-2019-1003013:
Cross-site Scripting in Jenkins Blue Ocean Plugin

A cross-site scripting vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier that allows attackers with permission to edit a user's description in Jenkins to have Blue Ocean render arbitrary HTML when using it as that user. This vulnerability is found in:

blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/Export.java
blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/ExportConfig.java
blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/JSONDataWriter.java
blueocean-rest-impl/src/main/java/io/jenkins/blueocean/service/embedded/UserStatePreloader.java
blueocean-web/src/main/resources/io/jenkins/blueocean/PageStatePreloadDecorator/header.jelly

(GitHub Advisory)

5.4

CVSS Score

Basic Information

CVE ID

CVE-2019-1003013

GHSA ID

GHSA-7fjr-5hph-c2mh

EPSS Score

CWE

CWE-79

Published

5/13/2022

Updated

12/7/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
io.jenkins.blueocean:blueocean	maven	< 1.10.2	1.10.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from unescaped user-controlled HTML in JSON output. The JSONDataWriter.value() method lacked HTML escaping by default, and UserStatePreloader.getStateJson() used the vulnerable serialization without enabling the htmlEncode flag. The fix added HTML escaping in both places (via StringEscapeUtils and ExportConfig.withHtmlEncode), confirming these were the injection points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *ross-sit* s*riptin* vuln*r**ility *xists in J*nkins *lu* O***n Plu*ins *.**.* *n* **rli*r t**t *llows *tt**k*rs wit* p*rmission to **it * us*r's **s*ription in J*nkins to **v* *lu* O***n r*n**r *r*itr*ry *TML w**n usin* it *s t**t us*r. T*is vuln*

Reasoning

T** vuln*r**ility st*mm** *rom un*s**p** us*r-*ontroll** *TML in JSON output. T** JSON**t*Writ*r.v*lu*() m*t*o* l**k** *TML *s**pin* *y ****ult, *n* Us*rSt*t*Pr*lo***r.**tSt*t*Json() us** t** vuln*r**l* s*ri*liz*tion wit*out *n**lin* t** *tml*n*o** *

5.4

Basic Information

Concerned about an active attack path?

CVE-2019-1003013: Cross-site Scripting in Jenkins Blue Ocean Plugin

5.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2019-1003013:
Cross-site Scripting in Jenkins Blue Ocean Plugin

Vulnerability Intelligence
Miggo AI