VYPR
← All advisories
Moderate severityNVD Advisory· Published Sep 12, 2019· Updated Aug 4, 2024

CVE-2019-10396

CVE-2019-10396

Description

Jenkins Dashboard View Plugin 2.11 and earlier fails to escape build descriptions, enabling stored XSS by users with build description edit permissions.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins Dashboard View Plugin 2.11 and earlier fails to escape build descriptions, enabling stored XSS by users with build description edit permissions.

Vulnerability

Description

CVE-2019-10396 is a stored cross-site scripting (XSS) vulnerability in the Jenkins Dashboard View Plugin, affecting versions 2.11 and earlier. The plugin does not properly escape build descriptions when rendering them in dashboard views, allowing malicious HTML or JavaScript to be injected and executed in the context of other users' browsers [1][2]. The root cause is the lack of output encoding for user-controlled build description content.

Exploitation

Prerequisites

An attacker must have the ability to change build descriptions on a Jenkins job, which typically requires Job/Configure permission or equivalent [2]. The attacker sets a crafted build description containing JavaScript code. When other users (including administrators) view a dashboard that includes that build, the malicious script executes in their browser session. No additional authentication or network position is required beyond the ability to modify build descriptions [3].

Impact

Successful exploitation allows the attacker to perform actions on behalf of the victim within Jenkins, such as modifying job configurations, viewing sensitive data, or triggering builds. The XSS runs in the context of the Jenkins web interface, potentially leading to privilege escalation or data exfiltration [2][3].

Mitigation

The vulnerability is fixed in Dashboard View Plugin version 2.12, which properly escapes build descriptions [2][3][4]. Users should upgrade to 2.12 or later. No workaround is available; the plugin must be updated. The fix was released as part of the Jenkins Security Advisory on 2019-09-12 [2].

References
  1. NVD - CVE-2019-10396
  2. Jenkins Security Advisory 2019-09-12
  3. security - Multiple vulnerabilities in Jenkins plugins
  4. [SECURITY-1489] · jenkinsci/dashboard-view-plugin@115238d

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.jenkins-ci.plugins:dashboard-viewMaven
< 2.122.12

Affected products

2

Patches

1
115238da2a88

[SECURITY-1489]

https://github.com/jenkinsci/dashboard-view-pluginTobias GruetzmacherSep 10, 2019via ghsa
commit
2 files changed · +56 27
  • src/main/resources/hudson/plugins/view/dashboard/builds/LatestBuilds/latestbuilds.jelly+1 1 modified
    @@ -15,7 +15,7 @@
         </td>
         <td data="${it.getBuildColumnSortData(build)}">
           <a href="${h.getRelativeLinkTo(build.parent)}/${build.number}"
-            tooltip="${build.description}">
+            tooltip="${empty(build.description) ? null : app.markupFormatter.translate(build.description)}">
             <l:icon alt="${build.iconColor.description}"
               class="${build.buildStatusIconClassName} icon-sm"/>${build.displayName}
           </a>
  • src/test/java/hudson/plugins/view/dashboard/builds/LatestBuildsTest.java+55 26 modified
    @@ -1,45 +1,74 @@
 package hudson.plugins.view.dashboard.builds;
 
+import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.not;
+import static org.hamcrest.Matchers.startsWith;
+import static org.junit.Assert.assertThat;
+
+import com.gargoylesoftware.htmlunit.html.HtmlAnchor;
+import com.gargoylesoftware.htmlunit.html.HtmlPage;
+import hudson.model.FreeStyleBuild;
 import hudson.model.FreeStyleProject;
 import hudson.model.Job;
-import hudson.model.Run;
+import hudson.plugins.view.dashboard.Dashboard;
 import java.util.Collections;
 import java.util.List;
-import java.util.concurrent.Callable;
+import org.junit.BeforeClass;
+import org.junit.ClassRule;
 import org.junit.Test;
-import org.junit.Rule;
+import org.jvnet.hudson.test.Issue;
 import org.jvnet.hudson.test.JenkinsRule;
 import org.jvnet.hudson.test.RunLoadCounter;
 
 public class LatestBuildsTest {
 
-    @Rule
-    public JenkinsRule j = new JenkinsRule();
+  @ClassRule public static JenkinsRule j = new JenkinsRule();
 
-    @Test
-    public void testAvoidEagerLoading() throws Exception {
-        final FreeStyleProject p = j.createFreeStyleProject();
-        RunLoadCounter.prepare(p);
-        for (int i = 0; i < 5; i++) {
-            j.assertBuildStatusSuccess(p.scheduleBuild2(0));
-        }
+  static FreeStyleProject p;
 
-        int numbuilds = 3;
-        final LatestBuilds latest = new LatestBuilds("-", numbuilds) {
+  @BeforeClass
+  public static void prepareBuilds() throws Exception {
+    p = j.createFreeStyleProject();
+    for (int i = 0; i < 5; i++) {
+      j.assertBuildStatusSuccess(p.scheduleBuild2(0));
+    }
+  }
 
-            @Override
-            protected List<Job> getDashboardJobs() {
-                return Collections.singletonList((Job) p);
-            }
+  @Test
+  public void testAvoidEagerLoading() throws Exception {
+    RunLoadCounter.prepare(p);
 
-        };
+    int numbuilds = 3;
+    final LatestBuilds latest =
+        new LatestBuilds("-", numbuilds) {
 
-        RunLoadCounter.assertMaxLoads(p, numbuilds, new Callable<List<Run>>() {
+          @Override
+          protected List<Job> getDashboardJobs() {
+            return Collections.singletonList((Job) p);
+          }
+        };
 
-            public List<Run> call() throws Exception {
-                return latest.getFinishedBuilds();
-            }
-        });
-    }
+    RunLoadCounter.assertMaxLoads(p, numbuilds, () -> latest.getFinishedBuilds());
+  }
 
-}
\ No newline at end of file
+  @Test
+  @Issue("SECURITY-1489")
+  public void testTooltipIsEscaped() throws Exception {
+    FreeStyleBuild lastBuild = p.getLastBuild();
+    lastBuild.setDescription("<i/onmouseover=confirm(1)>test");
+    Dashboard dashboard = new Dashboard("foo");
+    dashboard.setIncludeRegex(".*");
+    dashboard.getLeftPortlets().add(new LatestBuilds("foo", 10));
+    j.jenkins.addView(dashboard);
+    HtmlPage page = j.createWebClient().goTo("view/foo/");
+    HtmlAnchor link =
+        page.getAnchors().stream()
+            .filter(a -> a.getHrefAttribute().endsWith("/" + lastBuild.number))
+            .findAny()
+            .orElseThrow(IllegalStateException::new);
+    String tooltip = link.getAttribute("tooltip");
+    // The default formatter just escapes all HTML
+    assertThat(tooltip, not(containsString("<")));
+    assertThat(tooltip, startsWith("&lt;"));
+  }
+}

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.