GitHub Advisory DatabaseGHSA-R69C-5J7C-VM6QCross-site Scripting in Jenkins
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
3.5 Low
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
50.0%
Jenkins before versions 2.44 and 2.32.2 is vulnerable to a persisted cross-site scripting in parameter names and descriptions (SECURITY-353). Users with the permission to configure jobs were able to inject JavaScript into parameter names and descriptions.
| CPE | Name | Operator | Version |
|---|---|---|---|
| org.jenkins-ci.main:jenkins-core | le | 2.43 | |
| org.jenkins-ci.main:jenkins-core | le | 2.32.1 |
References
www.openwall.com/lists/oss-security/2022/04/12/5
www.openwall.com/lists/oss-security/2022/05/17/8
www.openwall.com/lists/oss-security/2022/06/22/3
www.openwall.com/lists/oss-security/2022/06/30/3
www.openwall.com/lists/oss-security/2022/10/19/3
www.securityfocus.com/bid/95960
bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2601
github.com/advisories/GHSA-r69c-5j7c-vm6q
github.com/jenkinsci/jenkins/commit/fd2e081b947124c90bcd97bfc55e1a7f2ef41a74
jenkins.io/security/advisory/2017-02-01/
nvd.nist.gov/vuln/detail/CVE-2017-2601
Related
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
3.5 Low
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
50.0%