CVE-2019-10374 — Jenkins PegDown Formatter Plugin has Cross-site Scripting vulnerability

Description

PegDown Formatter Plugin uses the PegDown library to implement support for rendering Markdown formatted descriptions in Jenkins. It advertises disabling of HTML to prevent cross-site scripting (XSS) as a feature. PegDown Formatter Plugin does not prevent the use of `javascript:` scheme in URLs for links. This results in an XSS vulnerability exploitable by users able to configure entities with descriptions or similar properties that are rendered by the configured markup formatter. As of publication of this advisory, there is no fix.

How to fix CVE-2019-10374

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2019-10374 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 1.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-10374
PATCHgithub.com/jenkinsci/pegdown-formatter-plugin
WEBjenkins.io/security/advisory/2019-08-07/#SECURITY-142
WEBwww.openwall.com/lists/oss-security/2019/08/07/1