VDB
CVE-2019-1003014
CVE-2019-1003014
PUBLISHED
Reported by jenkins · Published February 6, 2019
An cross-site scripting vulnerability exists in Jenkins Config File Provider Plugin 3.4.1 and earlier in src/main/resources/lib/configfiles/configfiles.jelly that allows attackers with permission to define shared configuration files to execute arbitrary JavaScript when a user attempts to delete the shared configuration file.
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Jenkins project | Jenkins Config File Provider Plugin | 3.4.1 and earlier |
| Maven | org.jenkins-ci.plugins:config-file-provider | 0, 0 |
| Jenkins project | Jenkins Config File Provider Plugin | *, 3.4.1 and earlier |
Timeline
- Feb 6, 2019 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 22, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Oct 25, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Feb 27, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- May 1, 2022 EPSS Score
- Jul 2, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
References
- x_refsource_CONFIRM
- RHBA-2019:0326 vendor-advisoryx_refsource_REDHAT
- RHBA-2019:0327 vendor-advisoryx_refsource_REDHAT
- https://nvd.nist.gov/vuln/detail/CVE-2019-1003014 advisory
- https://github.com/jenkinsci/config-file-provider-plugin/commit/64fba993c897ff52a9c6c38c6c41806f2e8cc73f patch
- https://github.com/advisories/GHSA-pmc5-74w3-78mw advisory