Description

Jenkins Maven Metadata Plugin for Jenkins CI server Plugin 2.1 and earlier does not escape the name and description of List maven artifact versions parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Remediation

References

https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2784

Related Vulnerabilities

CVE-2022-45462 Vulnerability in maven package org.apache.dolphinscheduler:dolphinscheduler-alert-plugins

CVE-2019-10398 Vulnerability in maven package org.jenkins-ci.plugins:beaker-builder

CVE-2023-46233 Vulnerability in maven package org.webjars.npm:github-com-brix-crypto-js

CVE-2023-49620 Vulnerability in maven package org.apache.dolphinscheduler:dolphinscheduler-common

CVE-2023-45807 Vulnerability in maven package org.opensearch.plugin:opensearch-security

Severity

Medium

Classification

CWE-79 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Vendor Advisory