Lucene search

GitHub Advisory DatabaseGHSA-8294-MV9C-7M5H

HistoryJul 28, 2022 - 12:00 a.m.

Stored XSS vulnerability in Jenkins Maven Metadata Plugin for Jenkins CI server plugin

2022-07-2800:00:42

CWE-79

GitHub Advisory Database

github.com

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

33.5%

JSON

Maven Metadata Plugin for Jenkins CI server Plugin 2.2 and earlier does not perform URL validation for the Repository Base URL of List maven artifact versions parameters. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Affected configurations

Vulners

Node

metadata-extractor_projectmetadata-extractorRange≤2.2

CPENameOperatorVersion
eu.markov.jenkins.plugin.mvnmeta:maven-metadata-pluginle2.2

CPE	Name	Operator	Version
	eu.markov.jenkins.plugin.mvnmeta:maven-metadata-plugin	le	2.2

References

www.openwall.com/lists/oss-security/2022/07/27/1

github.com/advisories/GHSA-8294-mv9c-7m5h

nvd.nist.gov/vuln/detail/CVE-2022-36905

www.jenkins.io/security/advisory/2022-07-27/#SECURITY-2686