Description

Jenkins Maven Metadata Plugin for Jenkins CI server Plugin 2.2 and earlier does not perform URL validation for the Repository Base URL of List maven artifact versions parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Remediation

References

http://www.openwall.com/lists/oss-security/2022/07/27/1

https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-2686

Related Vulnerabilities

CVE-2020-12827 Vulnerability in maven package org.webjars.npm:mjml

CVE-2022-24846 Vulnerability in maven package org.geowebcache:gwc-diskquota-jdbc

CVE-2021-23353 Vulnerability in maven package org.webjars:jspdf

CVE-2021-25947 Vulnerability in npm package nestie

CVE-2020-5529 Vulnerability in maven package net.sourceforge.htmlunit:htmlunit

Severity

Medium

Classification

CWE-79 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Mailing List Third Party Advisory Vendor Advisory