Lucene search

GitHub Advisory DatabaseGHSA-FQ2H-R2H9-PJ8R

HistorySep 22, 2022 - 12:00 a.m.

Jenkins NS-ND Integration Performance Publisher Plugin vulnerable to Cross-site Scripting

2022-09-2200:00:28

CWE-79

GitHub Advisory Database

github.com

jenkins

ns-nd integration

performance publisher plugin

cross-site scripting

configuration

xss vulnerability

attackers

item/configure permission

software

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

22.8%

JSON

Jenkins NS-ND Integration Performance Publisher Plugin prior to version 4.8.0.147 does not escape configuration options of the Execute NetStorm/NetCloud Test build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Affected configurations

Vulners

Node

io.jenkins.pluginscavisson-ns-nd-integrationRange<4.8.0.147

VendorProductVersionCPE
io.jenkins.pluginscavisson-ns-nd-integration*cpe:2.3:a:io.jenkins.plugins:cavisson-ns-nd-integration:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
io.jenkins.plugins	cavisson-ns-nd-integration	*	cpe:2.3:a:io.jenkins.plugins:cavisson-ns-nd-integration::::::::

References

github.com/advisories/GHSA-fq2h-r2h9-pj8r

github.com/jenkinsci/cavisson-ns-nd-integration-plugin/commit/d77c6c7a279da002178f8244f37093773dd6aee5

nvd.nist.gov/vuln/detail/CVE-2022-41229

www.jenkins.io/security/advisory/2022-09-21/#SECURITY-2858