CVE-2019-10410: Jenkins Log Parser Plugin vulnerable to Cross-site Scripting
5.4
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.34415%
CWE
Published
5/24/2022
Updated
2/23/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.jenkins-ci.plugins:log-parser | maven | < 2.1 | 2.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from unescaped error messages in log parsing pattern validation. Key points:
- The advisory specifically mentions missing escaping in error message display
- Jenkins' Jelly templating system requires explicit output escaping via ${%escape(...)}
- The pattern validation workflow would involve:
- A validation method (like doCheckParsingRules) returning error messages
- A configuration view (config.jelly) displaying these messages
- Pre-2.1 versions lacked escaping in these view templates, as confirmed by the patch note stating 'escapes all variables displayed in its views'
- The combination of unvalidated user input (parsing rules) and unescaped output in error display creates the XSS vector