Moderate severityNVD Advisory· Published Aug 28, 2019· Updated Aug 4, 2024

CVE-2019-10383

Description

Jenkins core before 2.192 and LTS before 2.176.3 fails to escape the update site URL, allowing administrators to store XSS affecting other admins in the update center.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins core before 2.192 and LTS before 2.176.3 fails to escape the update site URL, allowing administrators to store XSS affecting other admins in the update center.

Vulnerability

Overview

CVE-2019-10383 is a stored cross-site scripting (XSS) vulnerability in Jenkins core affecting versions 2.191 and earlier, and LTS 2.176.2 and earlier. The root cause is that Jenkins does not properly escape the update site URL when displaying status messages in the update center web pages. This allows an attacker with Overall/Administer permission to configure a malicious update site URL containing arbitrary HTML and JavaScript, which is then stored and executed in the context of other administrators viewing the update center [1][2].

Exploitation

Prerequisites

Exploitation requires the attacker to have Overall/Administer permission, which is a highly privileged role typically limited to Jenkins administrators. The attacker can modify the update site URL through the Jenkins configuration interface. When other administrators access the update center page, the stored URL is rendered without proper escaping, causing the injected script to execute in their browsers [2][3]. The attack is stored, meaning the malicious payload persists until the update site URL is corrected.

Impact

Successful exploitation allows an attacker to inject arbitrary HTML and JavaScript into update center web pages viewed by other administrators. This can lead to a range of malicious actions, including session hijacking, credential theft, or performing administrative actions on behalf of the victim [1][2]. Given that the attack targets other administrators, the potential for privilege escalation and lateral movement within the Jenkins environment is significant.

Mitigation

The vulnerability is fixed in Jenkins weekly 2.192 and LTS 2.176.3, which properly escape the update site URL in status messages [2][3]. Red Hat issued RHSA-2019:3144 to address this in OpenShift Container Platform 3.11 [4]. Administrators should update to the patched versions immediately. No workarounds are documented, but limiting Overall/Administer permissions to trusted users reduces exposure [2].

References

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.main:jenkins-coreMaven	< 2.176.3	2.176.3
org.jenkins-ci.main:jenkins-coreMaven	>= 2.177, < 2.192	2.192

Affected products

ghsa-coords
pkg:maven/org.jenkins-ci.main/jenkins-core
Range: < 2.176.3
Jenkins Project/Jenkinscpe-rescue
Range: 2.191 and earlier, LTS 2.176.2 and earlier

Patches

fb88530f77d3

[SECURITY-1453]

https://github.com/jenkinsci/jenkinsWadeck FollonierAug 13, 2019via ghsa

commit

1 file changed · +4 −4

core/src/main/java/hudson/model/UpdateCenter.java+4 −4 modified

@@ -1479,7 +1479,7 @@ public void run() {
                                 if(e.getMessage().contains("Connection timed out")) {
                                     // Google can't be down, so this is probably a proxy issue
                                     connectionStates.put(ConnectionStatus.INTERNET, ConnectionStatus.FAILED);
-                                    statuses.add(Messages.UpdateCenter_Status_ConnectionFailed(connectionCheckUrl));
+                                    statuses.add(Messages.UpdateCenter_Status_ConnectionFailed(Functions.xmlEscape(connectionCheckUrl)));
                                     return;
                                 }
                             }
@@ -1501,12 +1501,12 @@ public void run() {
                 statuses.add(Messages.UpdateCenter_Status_Success());
             } catch (UnknownHostException e) {
                 connectionStates.put(ConnectionStatus.UPDATE_SITE, ConnectionStatus.FAILED);
-                statuses.add(Messages.UpdateCenter_Status_UnknownHostException(e.getMessage()));
+                statuses.add(Messages.UpdateCenter_Status_UnknownHostException(Functions.xmlEscape(e.getMessage())));
                 addStatus(e);
                 error = e;
             } catch (Exception e) {
                 connectionStates.put(ConnectionStatus.UPDATE_SITE, ConnectionStatus.FAILED);
-                statuses.add(Functions.printThrowable(e));
+                addStatus(e);
                 error = e;
             }
             
@@ -1520,7 +1520,7 @@ public void run() {
             }
         }
 
-        private void addStatus(UnknownHostException e) {
+        private void addStatus(Throwable e) {
             statuses.add("<pre>"+ Functions.xmlEscape(Functions.printThrowable(e))+"</pre>");
         }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

access.redhat.com/errata/RHSA-2019:2789ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2019:3144ghsavendor-advisoryx_refsource_REDHATWEB
github.com/advisories/GHSA-9m48-54pj-h248ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2019-10383ghsaADVISORY
www.openwall.com/lists/oss-security/2019/08/28/4ghsamailing-listx_refsource_MLISTWEB
github.com/jenkinsci/jenkins/commit/fb88530f77d38660ab2aae8c2e842944f0fb1507ghsaWEB
jenkins.io/security/advisory/2019-08-28/ghsax_refsource_CONFIRMWEB
www.oracle.com/security-alerts/cpuapr2022.htmlghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000