Lucene search

GitHub Advisory DatabaseGHSA-5G2C-J6V9-VF94

HistoryDec 12, 2022 - 9:30 a.m.

Jenkins Custom Build Properties Plugin vulnerable to Cross-site Scripting

2022-12-1209:30:35

CWE-79

GitHub Advisory Database

github.com

jenkins

custom build

properties

plugin

cross-site scripting

vulnerability

software

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

33.5%

JSON

Jenkins Custom Build Properties Plugin 2.79.vc095ccc85094 and earlier does not escape property values and build display names on the Custom Build Properties and Build Summary pages, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to set or change these values. Custom Build Properties Plugin 2.82.v16d5b_d3590c7 escapes property values and build display names on the Custom Build Properties and Build Summary pages.

Affected configurations

Vulners

Node

io.jenkins.pluginscustom-build-propertiesRange<2.82.v16d5b

VendorProductVersionCPE
io.jenkins.pluginscustom-build-properties*cpe:2.3:a:io.jenkins.plugins:custom-build-properties:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
io.jenkins.plugins	custom-build-properties	*	cpe:2.3:a:io.jenkins.plugins:custom-build-properties::::::::

References

github.com/advisories/GHSA-5g2c-j6v9-vf94

github.com/jenkinsci/custom-build-properties-plugin/commit/ff4e27181389955cbb051c1c91f0c85c6adbced0

nvd.nist.gov/vuln/detail/CVE-2022-46686

www.jenkins.io/security/advisory/2022-12-07/#SECURITY-2810