Miggo Logo
Miggo Vulnerability Database
CVE-2019-1003014

CVE-2019-1003014: Jenkins Config File Provider Plugin XSS vulnerability

4.8

CVSS Score
3.0

Basic Information

CVE ID
CVE-2019-1003014
GHSA ID
GHSA-pmc5-74w3-78mw
EPSS Score
0.21231%
CWE
CWE-79
Published
5/13/2022
Updated
1/9/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:config-file-providermaven< 3.53.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from how user-controlled input (config.php file names) was embedded into JavaScript code in the Jelly templates. The original code used 'onclick="return cfp_confirmDelete('${t.name}')"', which inserted the unescaped 't.name' into the JavaScript context. Attackers could inject arbitrary JavaScript via the config.php name. The fix moved the value to a 'data-confirm' attribute (HTML-encoded) and retrieved it via the DOM, avoiding direct script injection. The vulnerable functions are the JavaScript handlers in the Jelly files that improperly handled user input before the patch.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n *ross-sit* s*riptin* vuln*r**ility *xists in J*nkins *on*i* *il* Provi**r Plu*in *.*.* *n* **rli*r in sr*/m*in/r*sour**s/li*/*on*i**il*s/*on*i**il*s.j*lly t**t *llows *tt**k*rs wit* p*rmission to ***in* s**r** *on*i*ur*tion *il*s to *x**ut* *r*itr

Reasoning

T** vuln*r**ility st*ms *rom *ow us*r-*ontroll** input (`*on*i*.p*p` *il* n*m*s) w*s *m****** into J*v*S*ript *o** in t** J*lly t*mpl*t*s. T** ori*in*l *o** us** 'on*li*k="r*turn **p_*on*irm**l*t*('${t.n*m*}')"', w*i** ins*rt** t** un*s**p** 't.n*m*'