5.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-10410

GHSA ID

GHSA-xqqw-cqjp-52xm

EPSS Score

0.34415%

CWE

CWE-79

Published

5/24/2022

Updated

2/23/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-10410

CVE-2019-10410:
Jenkins Log Parser Plugin vulnerable to Cross-site Scripting

Log Parser Plugin did not escape an error message shown when log parsing patterns are invalid. This resulted in a persisted cross-site scripting vulnerability exploitable by attackers able to control the log parsing rules configuration, typically users with Job/Configure permission.

Jenkins applies the missing escaping by default since 2.146 and LTS 2.138.2, so newer Jenkins releases are not affected by this vulnerability.

Log Parser Plugin version 2.1 escapes all variables displayed in its views.

(GitHub Advisory)

5.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-10410

GHSA ID

GHSA-xqqw-cqjp-52xm

EPSS Score

0.34415%

CWE

CWE-79

Published

5/24/2022

Updated

2/23/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:log-parser	maven	< 2.1	2.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from unescaped error messages in log parsing pattern validation. Key points:

The advisory specifically mentions missing escaping in error message display
Jenkins' Jelly templating system requires explicit output escaping via ${%escape(...)}
The pattern validation workflow would involve:
- A validation method (like doCheckParsingRules) returning error messages
- A configuration view (config.jelly) displaying these messages
Pre-2.1 versions lacked escaping in these view templates, as confirmed by the patch note stating 'escapes all variables displayed in its views'
The combination of unvalidated user input (parsing rules) and unescaped output in error display creates the XSS vector

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Lo* P*rs*r Plu*in *i* not *s**p* *n *rror m*ss*** s*own w**n lo* p*rsin* p*tt*rns *r* inv*li*. T*is r*sult** in * p*rsist** *ross-sit* s*riptin* vuln*r**ility *xploit**l* *y *tt**k*rs **l* to *ontrol t** lo* p*rsin* rul*s *on*i*ur*tion, typi**lly us*

Reasoning

T** vuln*r**ility st*ms *rom un*s**p** *rror m*ss***s in lo* p*rsin* p*tt*rn v*li**tion. K*y points: *. T** **visory sp**i*i**lly m*ntions missin* *s**pin* in *rror m*ss*** *ispl*y *. J*nkins' J*lly t*mpl*tin* syst*m r*quir*s *xpli*it output *s**pin*

5.4

Basic Information

Concerned about an active attack path?

CVE-2019-10410: Jenkins Log Parser Plugin vulnerable to Cross-site Scripting

5.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2019-10410:
Jenkins Log Parser Plugin vulnerable to Cross-site Scripting

Vulnerability Intelligence
Miggo AI