Description

Jenkins Maven Metadata Plugin for Jenkins CI server Plugin 2.1 and earlier does not escape the name and description of List maven artifact versions parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Remediation

References

https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2784

Related Vulnerabilities

CVE-2014-3574 Vulnerability in maven package org.apache.poi:poi-ooxml

CVE-2012-3373 Vulnerability in maven package org.apache.wicket:wicket

CVE-2021-36774 Vulnerability in maven package org.apache.kylin:kylin-core-common

CVE-2023-50722 Vulnerability in maven package org.xwiki.platform:xwiki-platform-administration-ui

CVE-2023-48796 Vulnerability in maven package org.apache.dolphinscheduler:dolphinscheduler-alert-server

Severity

Medium

Classification

CWE-79 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Vendor Advisory