CVE-2019-10395
Description
Jenkins Build Environment Plugin 1.6 and earlier has a stored XSS vulnerability due to improper escaping of variables, allowing users with job/build modification privileges to inject arbitrary web scripts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Build Environment Plugin 1.6 and earlier has a stored XSS vulnerability due to improper escaping of variables, allowing users with job/build modification privileges to inject arbitrary web scripts.
Vulnerability
Jenkins Build Environment Plugin versions 1.6 and earlier do not escape variables displayed in its views, resulting in a stored cross-site scripting (XSS) vulnerability. This affects Jenkins core versions 2.145, 2.138.1, and older [1][2].
Exploitation
An attacker who can change job or build properties (e.g., build name or description) can inject malicious JavaScript payloads. These payloads are stored and executed in the browser of any user viewing the affected page. No special network position or authentication beyond Jenkins permissions is required [2].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the Jenkins interface, potentially leading to session hijacking, credential theft, or further actions within the Jenkins instance [1][2].
Mitigation
The vulnerability is fixed in Build Environment Plugin version 1.7. The fix adds escape-by-default='true' to the Jelly views, ensuring proper output escaping [3][4]. Users should upgrade to version 1.7 or later.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:build-environmentMaven | < 1.7 | 1.7 |
Affected products
2- Range: 1.6 and earlier
Patches
1c9797608e839[SECURITY-1476]
4 files changed · +7 −4
pom.xml+1 −1 modified@@ -3,7 +3,7 @@ <parent> <groupId>org.jenkins-ci.plugins</groupId> <artifactId>plugin</artifactId> - <version>1.509.4</version><!-- which version of Jenkins is this plugin built + <version>1.596</version><!-- which version of Jenkins is this plugin built against? --> </parent>
src/main/resources/org/jenkinsci/plugins/buildenvironment/actions/BuildEnvironmentBuildAction/export_variables.jelly+2 −1 modified@@ -1,3 +1,4 @@ +<?jelly escape-by-default='true'?> <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form"> @@ -13,4 +14,4 @@ </l:main-panel> </l:layout> -</j:jelly> \ No newline at end of file +</j:jelly>
src/main/resources/org/jenkinsci/plugins/buildenvironment/actions/BuildEnvironmentBuildAction/index.jelly+2 −1 modified@@ -1,3 +1,4 @@ +<?jelly escape-by-default='true'?> <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form"> @@ -116,4 +117,4 @@ </l:main-panel> </l:layout> -</j:jelly> \ No newline at end of file +</j:jelly>
src/main/resources/org/jenkinsci/plugins/buildenvironment/actions/BuildEnvironmentBuildAction/summary.jelly+2 −1 modified@@ -1,3 +1,4 @@ +<?jelly escape-by-default='true'?> <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form" xmlns:i="jelly:fmt"> @@ -70,4 +71,4 @@ </table> </t:summary> -</j:jelly> \ No newline at end of file +</j:jelly>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-88qj-3q6h-8m5qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10395ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/09/12/2ghsamailing-listx_refsource_MLISTWEB
- github.com/jenkinsci/build-environment-plugin/commit/c9797608e839d0dce1957e3c1b512b872839e603ghsaWEB
- jenkins.io/security/advisory/2019-09-12/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.