CVE-2019-10373

Vulnerability

Details

CVE-2019-10373 is a stored cross-site scripting (XSS) vulnerability in the Jenkins Build Pipeline Plugin versions 1.5.8 and earlier. The plugin fails to properly sanitize the build pipeline description field, allowing users with permission to edit the description to inject arbitrary HTML and JavaScript. This malicious content is then stored and executed when other users view the pipeline page [1][3].

Exploitation

An attacker must have the ability to edit the build pipeline description, which typically requires Job/Configure permissions. The injected script executes in the context of the Jenkins web interface, affecting any user who accesses the affected pipeline view. No additional authentication is needed beyond the ability to edit the description [1][2].

Impact

Successful exploitation allows the attacker to perform actions such as stealing CSRF tokens, modifying Jenkins configurations, or executing arbitrary actions on behalf of the victim user. This can lead to further compromise of the Jenkins instance and its managed projects [1][3].

Mitigation

As of the original advisory on August 7, 2019, no fixed version of the Build Pipeline Plugin was available [1][2]. Administrators should restrict edit permissions on build pipeline descriptions to trusted users only. If possible, consider disabling or replacing the plugin until a patched version is released [2].