CVE-2022-36905

2022-07-2715:15:10

CWE-79

[email protected]

web.nvd.nist.gov

cve-2022-36905

jenkins

maven

metadata plugin

jenkins ci server

xss

vulnerability

nvd

cve

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

33.4%

JSON

Jenkins Maven Metadata Plugin for Jenkins CI server Plugin 2.2 and earlier does not perform URL validation for the Repository Base URL of List maven artifact versions parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Affected configurations

NVD

Node

jenkinsmaven_metadataRange≤2.2jenkins_ci

CPENameOperatorVersion
jenkins:maven_metadatajenkins maven metadatale2.2

CPE	Name	Operator	Version
jenkins:maven_metadata	jenkins maven metadata	le	2.2

CNA Affected

[
  {
    "product": "Jenkins Maven Metadata Plugin for Jenkins CI server Plugin",
    "vendor": "Jenkins project",
    "versions": [
      {
        "lessThanOrEqual": "2.2",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "lessThan": "unspecified",
        "status": "unknown",
        "version": "next of 2.2",
        "versionType": "custom"
      }
    ]
  }
]