5.4

CVSS Score

3.0

-

CVSS Score

Basic Information

CVE ID

CVE-2019-10325

GHSA ID

GHSA-wrr5-p265-7252

EPSS Score

0.21769%

CWE

CWE-79

Published

5/24/2022

Updated

1/30/2024

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-10325

CVE-2019-10325: Jenkins Warnings NG Plugin Cross-site scripting vulnerability

A cross-site scripting vulnerability in Jenkins Warnings NG Plugin 5.0.0 and earlier allowed attacker with Job/Configure permission to inject arbitrary JavaScript in build overview pages.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2019-10325

CVE-2019-10325:

5.4

CVSS Score

3.0

-

CVSS Score

Basic Information

CVE ID

CVE-2019-10325

GHSA ID

GHSA-wrr5-p265-7252

EPSS Score

0.21769%

CWE

CWE-79

Published

5/24/2022

Updated

1/30/2024

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
io.jenkins.plugins:warnings-ng	maven	<= 5.0.0	5.1.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from unescaped rendering of custom parser names in Jenkins UI. The changelog explicitly mentions adding escaping for parser names in 5.1.0. The getName() method on the CustomParser class would be the source of the unvalidated output, as it provides the raw parser name to Jelly views. During exploitation, this method would appear in stack traces when malicious parser names are processed and rendered without sanitization.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.4

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2019-10325: Jenkins Warnings NG Plugin Cross-site scripting vulnerability

CVE-2019-10325:

5.4

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2019-10325: Jenkins Warnings NG Plugin Cross-site scripting vulnerability

5.4

5.4

Technical Details

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI