Lucene search

GitHub Advisory DatabaseGHSA-9PVW-8Q92-HM9W

HistoryJun 14, 2023 - 3:30 p.m.

Stored XSS vulnerability in Jenkins Maven Repository Server Plugin

2023-06-1415:30:37

CWE-79

GitHub Advisory Database

github.com

jenkins

vulnerability

stored xss

maven

repository server plugin

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

AI Score

5.5

Confidence

High

EPSS

0.001

Percentile

49.3%

JSON

Jenkins Maven Repository Server Plugin 1.10 and earlier does not escape the versions of build artifacts on the Build Artifacts As Maven Repository page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control maven project versions in pom.xml.

Affected configurations

Vulners

Node

jenkinsrepository_connectorRange≤1.10jenkins

VendorProductVersionCPE
jenkinsrepository_connector*cpe:2.3:a:jenkins:repository_connector:*:*:*:*:*:jenkins:*:*

Vendor	Product	Version	CPE
jenkins	repository_connector	*	cpe:2.3:a:jenkins:repository_connector::::::jenkins::*

References

www.openwall.com/lists/oss-security/2023/06/14/5

github.com/advisories/GHSA-9pvw-8q92-hm9w

nvd.nist.gov/vuln/detail/CVE-2023-35143

www.jenkins.io/security/advisory/2023-06-14/#SECURITY-3156