CVE-2019-10410

Vulnerability

Description

The Jenkins Log Parser Plugin up to version 2.0 does not properly escape user-controlled error messages when displaying them in the Jenkins UI. According to the Jenkins Security Advisory [1], this stored cross-site scripting (XSS) vulnerability stems from the plugin's failure to escape an error message, allowing arbitrary HTML or JavaScript to be injected. The flaw is categorized as having a Medium severity (CVSS) [1].

Exploitation

Prerequisites

An attacker must have the ability to define log parsing rules within Jenkins [1]. This requires a user account with appropriate permissions to configure the plugin's rules. Once the attacker defines a malicious rule that triggers an error message containing crafted JavaScript, the script is stored and executed in the context of other users who view the affected error output [1][2]. No additional authentication on the victim's side is needed; the XSS payload is rendered automatically when the error message is displayed.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the browser of any user who views the parsed log output containing the malicious error message [1][3]. This could enable session hijacking, credential theft, or other client-side attacks within the Jenkins web interface. The impact is limited to users with access to the Jenkins instance [3].

Mitigation

Status

The vulnerability is fixed in Log Parser Plugin version 2.1 [2]. Users should upgrade to this version or later. No workarounds are provided by the vendor, as the fix addresses the core lack of output encoding. The CVE is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of this writing.