GitHub Advisory DatabaseGHSA-W3PJ-V9JR-V2WCJenkins ElectricFlow Plugin is vulnerable to reflected cross site scripting vulnerability
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
52.8%
The configuration forms of various post-build steps contributed by CloudBees CD Plugin were vulnerable to cross-site scripting.
This allowed attackers able to control the output of connected ElectricFlow servers’ APIs to inject arbitrary HTML and JavaScript into the configuration form.
CloudBees CD Plugin no longer interprets HTML/JavaScript in responses from ElectricFlow server APIs on job configuration forms.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| org.jenkins-ci.plugins | electricflow | * | cpe:2.3:a:org.jenkins-ci.plugins:electricflow:*:*:*:*:*:*:*:* |
References
www.openwall.com/lists/oss-security/2019/06/11/1
github.com/advisories/GHSA-w3pj-v9jr-v2wc
github.com/jenkinsci/electricflow-plugin/commit/4550f86e75e0927be644958ed088e4fa82c783b7
jenkins.io/security/advisory/2019-06-11/#SECURITY-1420
nvd.nist.gov/vuln/detail/CVE-2019-10336
web.archive.org/web/20200227033720/www.securityfocus.com/bid/108747
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
52.8%