Chapter 6: Build Pipeline Plugin "Stored XSS vulnerability"

danielclough

The Build Pipeline plugin suggested in the 06. SETTING UP CONTINUOUS INTEGRATION WITH JENKINS video was last updated 2 yr 8 mo ago (from Sept. 2020) and now contains a Stored XSS vulnerability warning.

Stored XSS vulnerability

SECURITY-879 / CVE-2019-10373
Build Pipeline Plugin does not properly escape variables in views, resulting in a stored cross-site scripting vulnerability exploitable by users with permission to configure build pipelines.
This vulnerability is only exploitable on Jenkins releases older than 2.146 or 2.138.2 due to the security hardening implemented in those releases.

This is obviously not a problem, but a footnote of explanation could take advantage of a teachable moment.

---

Thanks for the great course,
Daniel Clough

luisviveropena

Hi @danielclough ,

Thanks for informing us, we'll check on this.

Many regards,
Luis.

gouravshah

@danielclough yes a footnote is due on this one.