Description

Jenkins Maven Metadata Plugin for Jenkins CI server Plugin 2.2 and earlier does not perform URL validation for the Repository Base URL of List maven artifact versions parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Remediation

References

https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-2686

http://www.openwall.com/lists/oss-security/2022/07/27/1

Related Vulnerabilities

CVE-2021-41248 Vulnerability in npm package graphiql

CVE-2023-25499 Vulnerability in maven package com.vaadin:flow-server

CVE-2018-11764 Vulnerability in maven package org.apache.hadoop:hadoop-core

CVE-2010-1157 Vulnerability in maven package tomcat:catalina

CVE-2023-24428 Vulnerability in maven package org.jenkins-ci.plugins:bitbucket-oauth

Severity

Medium

Classification

CWE-79 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Vendor Advisory Mailing List Third Party Advisory