CVE-2019-10475 — AI Deep Analysis Summary

🚨 **Essence**: Reflected Cross-Site Scripting (XSS) in Jenkins build-metrics Plugin.…

🛡️ **Root Cause**: CWE-79 (Improper Neutralization of Input During Web Page Generation). The plugin fails to properly escape the `label` query parameter, allowing raw HTML/JS injection.

📦 **Affected**: Jenkins users running the **build-metrics Plugin** (specifically version 1.3 mentioned in POC). Often used alongside the Jenkins sidebar links plugin.

🕵️ **Attacker Capabilities**: Execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, credential theft, or defacement of the Jenkins UI.

⚖️ **Exploitation Threshold**: **Low**. It is a *reflected* XSS.…

🔓 **Public Exp?**: **Yes**. POCs are available on GitHub (e.g., vesche/CVE-2019-10475) and in Nuclei templates. Wild exploitation is feasible via social engineering (malicious links).

🔍 **Self-Check**: Scan for the `label` parameter in build-metrics URLs. Look for unescaped input in the response. Use automated scanners like Nuclei with the specific CVE template.

✅ **Official Fix**: **Yes**. Patched in Jenkins Security Advisory 2019-10-23 (SECURITY-1490). Users should update the build-metrics plugin to the latest secure version.

🚧 **No Patch Workaround**: Disable the build-metrics plugin if not needed. Implement WAF rules to block XSS payloads in the `label` parameter. Restrict access to Jenkins UI.

⚡ **Urgency**: **High**. XSS allows direct client-side compromise. Since PoCs are public and it affects a widely used CI/CD tool, immediate patching is recommended to prevent session hijacking.