Welcome to the Linux Foundation Forum!

Chapter 6: Build Pipeline Plugin "Stored XSS vulnerability"

The Build Pipeline plugin suggested in the 06. SETTING UP CONTINUOUS INTEGRATION WITH JENKINS video was last updated 2 yr 8 mo ago (from Sept. 2020) and now contains a Stored XSS vulnerability warning.

Stored XSS vulnerability

SECURITY-879 / CVE-2019-10373
Build Pipeline Plugin does not properly escape variables in views, resulting in a stored cross-site scripting vulnerability exploitable by users with permission to configure build pipelines.
This vulnerability is only exploitable on Jenkins releases older than 2.146 or 2.138.2 due to the security hardening implemented in those releases.

This is obviously not a problem, but a footnote of explanation could take advantage of a teachable moment.


Thanks for the great course,
Daniel Clough

Comments

Categories

Upcoming Training