Description

A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers with the ability to control the existence of some URLs in Jenkins to define JavaScript that would be executed in another user's browser when that other user views HTTP 404 error pages while Stapler debug mode is enabled.

Remediation

References

https://jenkins.io/security/advisory/2018-07-18/#SECURITY-390

https://www.oracle.com/security-alerts/cpuapr2022.html

Related Vulnerabilities

CVE-2022-34179 Vulnerability in maven package org.jenkins-ci.plugins:embeddable-build-status

CVE-2022-25927 Vulnerability in maven package org.webjars.npm:github-com-faisalman-ua-parser-js

CVE-2023-40349 Vulnerability in maven package org.jenkins-ci.plugins:gogs-webhook

CVE-2023-46660 Vulnerability in maven package org.jenkins-ci.plugins:zanata

CVE-2022-45398 Vulnerability in maven package org.zeroturnaround:cluster-stats

Severity

Medium

Classification

CWE-79 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Vendor Advisory Patch Third Party Advisory