CVE-2019-16562
Description
Jenkins buildgraph-view Plugin 1.8 and earlier does not escape the description of builds shown in its view, resulting in a stored XSS vulnerability exploitable by users able to change build descriptions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins buildgraph-view Plugin 1.8 and earlier has stored XSS via unescaped build descriptions, exploitable by users with build description edit permission.
CVE-2019-16562 is a stored cross-site scripting (XSS) vulnerability in the Jenkins buildgraph-view Plugin [1][3]. The plugin does not escape the description of builds when displaying them in its view, allowing users who can change build descriptions to inject malicious JavaScript [1][3].
To exploit this, an attacker must have the ability to change build descriptions, which typically requires at least Job/Configure permission [1]. The malicious script executes in the browsers of other users viewing the buildgraph view, requiring no additional user interaction [1].
Successful exploitation leads to stored XSS, enabling the attacker to perform actions on behalf of the victim, such as modifying jobs, viewing secrets, or escalating privileges [1]. The attack can affect all users who access the view.
As of the advisory published December 17, 2019, no fix was available for buildgraph-view Plugin [2]. Users are advised to restrict permissions to change build descriptions or remove the plugin if not needed [1][2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:buildgraph-viewMaven | <= 1.8 | — |
Affected products
3- Range: <=1.8
- Jenkins project/Jenkins buildgraph-view Pluginv5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-4j4g-fp93-qvrwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-16562ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/12/17/1ghsamailing-listx_refsource_MLISTWEB
- jenkins.io/security/advisory/2019-12-17/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.