CVE-2019-10402
Description
Jenkins core fails to escape HTML in f:combobox form control labels, enabling stored XSS by users who can define combobox items.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins core fails to escape HTML in f:combobox form control labels, enabling stored XSS by users who can define combobox items.
Vulnerability
Description
CVE-2019-10402 is a stored cross-site scripting (XSS) vulnerability in Jenkins core, affecting versions 2.196 and earlier, as well as LTS 2.176.3 and earlier [1][3]. The root cause lies in the f:combobox form control, which interprets the labels of its items as raw HTML rather than treating them as plain text [1]. This means that any user with permission to define the contents of a combobox can inject arbitrary HTML or JavaScript into the Jenkins interface [1][3].
Exploitation
To exploit this vulnerability, an attacker needs to have the ability to modify the data that populates a combobox form control. This is typically achievable by users who have the permission to configure certain job properties or plugin settings that use f:combobox [1][2]. The injected script will then be executed in the browser of any subsequent user who views the page containing the combobox, leading to a stored XSS attack [1]. The attacker does not need to be authenticated as an administrator, but must have at least some form of configuration permission [2].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the Jenkins web interface for any user viewing the affected page. This could lead to session hijacking, credential theft, or further compromise of the Jenkins instance [1][3]. The vulnerability is rated as Medium severity due to the prerequisite of having some configuration permissions, but the persistence of the script across sessions increases the risk [1].
Mitigation
Jenkins addressed this issue by updating the f:combobox component to no longer interpret item labels as HTML [1]. The fix is included in Jenkins weekly release 2.197 and LTS releases 2.176.4 and 2.190.1 [2]. Users are strongly advised to upgrade to these patched versions or later. The commit associated with this fix (SECURITY-1525) is available in the Jenkins repository [4]. There is no known workaround other than applying the upgrade.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.main:jenkins-coreMaven | < 2.176.4 | 2.176.4 |
org.jenkins-ci.main:jenkins-coreMaven | >= 2.177, < 2.197 | 2.197 |
Affected products
2- Range: 2.196 and earlier, LTS 2.176.3 and earlier
Patches
13 files changed · +57 −1
test/src/test/java/lib/form/ComboBoxSEC1525Test.java+50 −0 added@@ -0,0 +1,50 @@ +package lib.form; + +import com.gargoylesoftware.htmlunit.html.HtmlElement; +import com.gargoylesoftware.htmlunit.html.HtmlElementUtil; +import com.gargoylesoftware.htmlunit.html.HtmlPage; +import hudson.model.FreeStyleProject; +import hudson.model.Job; +import hudson.util.ComboBoxModel; +import jenkins.model.OptionalJobProperty; +import org.jvnet.hudson.test.HudsonTestCase; +import org.jvnet.hudson.test.Issue; +import org.jvnet.hudson.test.TestExtension; + +//TODO meant to be merged back into ComboBoxTest after security release to avoid conflict during the upmerge process +public class ComboBoxSEC1525Test extends HudsonTestCase { + public static class XssProperty extends OptionalJobProperty<Job<?,?>> { + @TestExtension("testEnsureXSSnotPossible") + public static class DescriptorImpl extends OptionalJobProperty.OptionalJobPropertyDescriptor { + + @Override + public String getDisplayName() { + return "XSS Property"; + } + + public ComboBoxModel doFillXssItems() { + return new ComboBoxModel("<h1>HACK</h1>"); + } + } + } + + @Issue("SECURITY-1525") + public void testEnsureXSSnotPossible() throws Exception { + XssProperty xssProperty = new XssProperty(); + FreeStyleProject p = createFreeStyleProject(); + p.addProperty(xssProperty); + + WebClient wc = new WebClient(); + + HtmlPage configurePage = wc.getPage(p, "configure"); + int numberOfH1Before = configurePage.getElementsByTagName("h1").size(); + + HtmlElement comboBox = configurePage.getElementByName("_.xss"); + HtmlElementUtil.click(comboBox); + + // no additional h1, meaning the "payload" is not interpreted + int numberOfH1After = configurePage.getElementsByTagName("h1").size(); + + assertEquals(numberOfH1Before, numberOfH1After); + } +}
test/src/test/resources/lib/form/ComboBoxSEC1525Test/XssProperty/config.jelly+6 −0 added@@ -0,0 +1,6 @@ +<?jelly escape-by-default='true'?> +<j:jelly xmlns:j="jelly:core" xmlns:f="/lib/form"> + <f:entry field="xss"> + <f:combobox /> + </f:entry> +</j:jelly>
war/src/main/webapp/scripts/combobox.js+1 −1 modified@@ -246,7 +246,7 @@ ComboBox.prototype.populateDropdown = function() { for (var i = 0; i < this.availableItems.length; i++) { var item = document.createElement("div"); item.className = "comboBoxItem"; - item.innerHTML = this.availableItems[i]; + item.innerText = this.availableItems[i]; item.id = "item_" + this.availableItems[i]; item.comboBox = this; item.comboBoxIndex = i;
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-q6q9-83xw-mp6pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10402ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/09/25/3ghsamailing-listx_refsource_MLISTWEB
- github.com/jenkinsci/jenkins/commit/00064be3661e687da7215523a3ed9a37a85f51a3ghsaWEB
- jenkins.io/security/advisory/2019-09-25/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.