Miggo Logo

CVE-2019-10410: Jenkins Log Parser Plugin vulnerable to Cross-site Scripting

5.4

CVSS Score
3.1

Basic Information

EPSS Score
0.34415%
Published
5/24/2022
Updated
2/23/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:log-parsermaven< 2.12.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unescaped error messages in log parsing pattern validation. Key points:

  1. The advisory specifically mentions missing escaping in error message display
  2. Jenkins' Jelly templating system requires explicit output escaping via ${%escape(...)}
  3. The pattern validation workflow would involve:
    • A validation method (like doCheckParsingRules) returning error messages
    • A configuration view (config.jelly) displaying these messages
  4. Pre-2.1 versions lacked escaping in these view templates, as confirmed by the patch note stating 'escapes all variables displayed in its views'
  5. The combination of unvalidated user input (parsing rules) and unescaped output in error display creates the XSS vector

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Lo* P*rs*r Plu*in *i* not *s**p* *n *rror m*ss*** s*own w**n lo* p*rsin* p*tt*rns *r* inv*li*. T*is r*sult** in * p*rsist** *ross-sit* s*riptin* vuln*r**ility *xploit**l* *y *tt**k*rs **l* to *ontrol t** lo* p*rsin* rul*s *on*i*ur*tion, typi**lly us*

Reasoning

T** vuln*r**ility st*ms *rom un*s**p** *rror m*ss***s in lo* p*rsin* p*tt*rn v*li**tion. K*y points: *. T** **visory sp**i*i**lly m*ntions missin* *s**pin* in *rror m*ss*** *ispl*y *. J*nkins' J*lly t*mpl*tin* syst*m r*quir*s *xpli*it output *s**pin*