Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2019-10475

CVE-2019-10475:
Jenkins build-metrics Plugin reflected cross-site scripting vulnerability

6.1

CVSS Score

Basic Information

CVE ID
CVE-2019-10475
GHSA ID
GHSA-f8w9-66fp-3jgw
EPSS Score
-
CWE
CWE-79
Published
5/24/2022
Updated
1/5/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:build-metricsmaven<= 1.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper escaping of the 'label' query parameter in the UI rendering layer. Jenkins plugins typically use Jelly templates for view rendering, and reflected XSS in this context would occur when user-controlled input (like the 'label' parameter) is directly interpolated into HTML without proper escaping. The advisory explicitly identifies the 'label' parameter as the injection vector, and the lack of escaping in the report display functionality (handled by BuildMetricsReport/index.jelly) would be the logical location for this vulnerability. The confidence is high because the pattern matches standard Jenkins plugin XSS vulnerabilities and the advisory specifically calls out the parameter and lack of escaping.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins *uil*-m*tri*s Plu*in *o*s not prop*rly *s**p* t** `l***l` qu*ry p*r*m*t*r, r*sultin* in * r**l**t** *ross-sit* s*riptin* vuln*r**ility. *s o* pu*li**tion o* t*is **visory, t**r* is no *ix.

Reasoning

T** vuln*r**ility st*ms *rom improp*r *s**pin* o* t** 'l***l' qu*ry p*r*m*t*r in t** UI r*n**rin* l*y*r. J*nkins plu*ins typi**lly us* J*lly t*mpl*t*s *or vi*w r*n**rin*, *n* r**l**t** XSS in t*is *ont*xt woul* o**ur w**n us*r-*ontroll** input (lik*