CVE-2019-1003023

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the Jenkins Warnings Next Generation Plugin versions 1.0.1 and earlier. The flaw is present in multiple Java source files: DetailsTableModel.java, SourceDetail.java, SourcePrinter.java, Sanitizer.java, and DuplicateCodeScanner.java. These components fail to properly sanitize user-controlled input from warnings parsers, enabling the injection of arbitrary HTML into rendered views. [1][2]

Exploitation

An attacker with the ability to control warnings parser input (e.g., by submitting crafted warning data from a build) can inject malicious HTML. No special network position or authentication beyond typical build configuration access is required, as the plugin processes parser output and displays it unsanitized. [2]

Impact

Successful exploitation results in arbitrary HTML rendering within the Jenkins web UI. This can lead to information disclosure, session hijacking, or other actions that execute in the context of a victim user's browser when they view the affected warnings page. The attacker does not gain code execution on the Jenkins controller or agents directly. [1][2]

Mitigation

Jenkins has released a fix in version 2.0 (noted in the advisory). Users should upgrade to Jenkins Warnings Next Generation Plugin 2.0 or later. No workaround is currently provided for users unable to upgrade. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. [1]