Alpine: multiple jenkins packages: security update to 2.199-r0

medium Tenable Self-Hosted Container Security Plugin ID 405037

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not restrict or filter values set as Jenkins URL in
the global configuration, resulting in a stored XSS vulnerability exploitable by attackers with
Overall/Administer permission. (CVE-2019-10406)

- In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:expandableTextBox form control interpreted
its content as HTML when expanded, resulting in a stored XSS vulnerability exploitable by users with
permission to define its contents (typically Job/Configure). (CVE-2019-10401)

- In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:combobox form control interpreted its item
labels as HTML, resulting in a stored XSS vulnerability exploitable by users with permission to define its
contents. (CVE-2019-10402)

- Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the SCM tag name on the tooltip for SCM
tag actions, resulting in a stored XSS vulnerability exploitable by users able to control SCM tag names
for these actions. (CVE-2019-10403)

- Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the reason why a queue items is blcoked
in tooltips, resulting in a stored XSS vulnerability exploitable by users able to control parts of the
reason a queue item is blocked, such as label expressions not matching any idle executors.
(CVE-2019-10404)

See Also

https://security.alpinelinux.org/vuln/CVE-2019-10401

https://security.alpinelinux.org/vuln/CVE-2019-10402

https://security.alpinelinux.org/vuln/CVE-2019-10403

https://security.alpinelinux.org/vuln/CVE-2019-10404

https://security.alpinelinux.org/vuln/CVE-2019-10405

https://security.alpinelinux.org/vuln/CVE-2019-10406

Plugin Details

Severity: Medium

ID: 405037

Version: Revision 1.25

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 8.67

CVSS v2

Risk Factor: Low

Base Score: 3.5

Temporal Score: 2.6

Vector: CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS Score Source: CVE-2019-10406

CVSS v3

Risk Factor: Medium

Base Score: 5.4

Temporal Score: 4.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2019-10405

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 9/25/2019

Reference Information

CVE: CVE-2019-10401, CVE-2019-10402, CVE-2019-10403, CVE-2019-10404, CVE-2019-10405, CVE-2019-10406