Miggo Logo

CVE-2019-10325: Jenkins Warnings NG Plugin Cross-site scripting vulnerability

5.4

CVSS Score
3.0

Basic Information

EPSS Score
0.21769%
Published
5/24/2022
Updated
1/30/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
io.jenkins.plugins:warnings-ngmaven<= 5.0.05.1.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unescaped rendering of custom parser names in Jenkins UI. The changelog explicitly mentions adding escaping for parser names in 5.1.0. The getName() method on the CustomParser class would be the source of the unvalidated output, as it provides the raw parser name to Jelly views. During exploitation, this method would appear in stack traces when malicious parser names are processed and rendered without sanitization.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *ross-sit* s*riptin* vuln*r**ility in J*nkins W*rnin*s N* Plu*in *.*.* *n* **rli*r *llow** *tt**k*r wit* Jo*/*on*i*ur* p*rmission to inj**t *r*itr*ry J*v*S*ript in *uil* ov*rvi*w p***s.

Reasoning

T** vuln*r**ility st*ms *rom un*s**p** r*n**rin* o* *ustom p*rs*r n*m*s in J*nkins UI. T** ***n**lo* *xpli*itly m*ntions ***in* *s**pin* *or p*rs*r n*m*s in *.*.*. T** `**tN*m*()` m*t*o* on t** *ustomP*rs*r *l*ss woul* ** t** sour** o* t** unv*li**t*