CVE-2019-1003042 — Jenkins Lockable Resources Plugin XSS vulnerability

Description

A cross site scripting vulnerability in Jenkins Lockable Resources Plugin 2.4 and earlier allows attackers able to control resource names to inject arbitrary JavaScript in web pages rendered by the plugin.

How to fix CVE-2019-1003042

To remediate CVE-2019-1003042, upgrade the affected package to a fixed version below.

Maven/org.6wind.jenkins:lockable-resources—upgrade to 2.5 or later

Is CVE-2019-1003042 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-1003042
PATCHgithub.com/jenkinsci/lockable-resources-plugin
WEBaccess.redhat.com/errata/RHSA-2019:1423
WEBgithub.com/jenkinsci/lockable-resources-plugin/commit/4f401e250eb9e865e951b069255fea7052423739