CVE-2019-10374

Vulnerability

CVE-2019-10374 is a stored cross-site scripting (XSS) vulnerability in the Jenkins PegDown Formatter Plugin versions 1.3 and earlier. The plugin fails to sanitize user-supplied markup, allowing attackers to insert links with the javascript: scheme into fields rendered by the configured markup formatter [1][2][3].

Exploitation

An attacker with the ability to edit descriptions or other fields that use the markup formatter can inject malicious JavaScript code. No special authentication is required beyond standard Jenkins edit permissions, making it exploitable by any user who can modify such fields [1].

Impact

Successful exploitation leads to arbitrary JavaScript execution within the Jenkins UI, potentially allowing attackers to steal session cookies, perform actions on behalf of victims, or deface the interface. The malicious code would execute when other users view the affected content [3].

Mitigation

The PegDown Formatter Plugin is deprecated and archived; users should migrate to the markdown-formatter plugin [4]. No official patch was released for this vulnerability as the plugin is no longer maintained. As a workaround, administrators can disable the plugin or restrict permissions to trusted users only [2].