CVE-2019-10406: XSS
First published: Wed Sep 25 2019(Updated: )
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not restrict or filter values set as Jenkins URL in the global configuration, resulting in a stored XSS vulnerability exploitable by attackers with Overall/Administer permission.
Credit: jenkinsci-cert@googlegroups.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Jenkins LTS | <=2.176.3 | |
| Jenkins LTS | <=2.196 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2019-10406?
CVE-2019-10406 is classified as a medium severity stored XSS vulnerability.
Who is affected by CVE-2019-10406?
CVE-2019-10406 affects Jenkins versions 2.196 and earlier, as well as LTS versions 2.176.3 and earlier.
How do I fix CVE-2019-10406?
To fix CVE-2019-10406, upgrade Jenkins to version 2.197 or later, or to LTS version 2.176.4 or later.
What type of attack does CVE-2019-10406 enable?
CVE-2019-10406 enables stored cross-site scripting (XSS) attacks that can be exploited by users with Overall/Administer permission.
What permissions are needed to exploit CVE-2019-10406?
An attacker would need Overall/Administer permissions to exploit CVE-2019-10406.
- agent/references
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/first-publish-date
- agent/description
- agent/event
- agent/source
- agent/weakness
- agent/author
- agent/softwarecombine
- agent/tags
- collector/nvd-api
- agent/software-canonical-lookup-request
- collector/nvd-index
- vendor/jenkins
- canonical/jenkins lts
- version/jenkins lts/2.176.3
- version/jenkins lts/2.196