Stored XSS vulnerability in Jenkins Repository Connector Plugin

2022-05-2417:43:00

Google

osv.dev

0.001 Low

EPSS

Percentile

22.2%

JSON

Jenkins Repository Connector Plugin 2.0.2 and earlier does not escape parameter names and descriptions for past builds.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Jenkins Repository Connector Plugin 2.0.3 escapes parameter names and descriptions when creating new parameters.

CPENameOperatorVersion
org.jenkins-ci.plugins:repository-connectoreq1.2.4
org.jenkins-ci.plugins:repository-connectoreq1.1.1
org.jenkins-ci.plugins:repository-connectoreq1.3.1
org.jenkins-ci.plugins:repository-connectoreq1.2.3
org.jenkins-ci.plugins:repository-connectoreq1.2.6
org.jenkins-ci.plugins:repository-connectoreq2.0.1
org.jenkins-ci.plugins:repository-connectoreq1.1.0
org.jenkins-ci.plugins:repository-connectoreq1.0.1
org.jenkins-ci.plugins:repository-connectoreq1.1.3
org.jenkins-ci.plugins:repository-connectoreq2.0.0

Name	Operator	Version
org.jenkins-ci.plugins:repository-connector	eq	1.2.4
org.jenkins-ci.plugins:repository-connector	eq	1.1.1
org.jenkins-ci.plugins:repository-connector	eq	1.3.1
org.jenkins-ci.plugins:repository-connector	eq	1.2.3
org.jenkins-ci.plugins:repository-connector	eq	1.2.6
org.jenkins-ci.plugins:repository-connector	eq	2.0.1
org.jenkins-ci.plugins:repository-connector	eq	1.1.0
org.jenkins-ci.plugins:repository-connector	eq	1.0.1
org.jenkins-ci.plugins:repository-connector	eq	1.1.3
org.jenkins-ci.plugins:repository-connector	eq	2.0.0