Description
Jenkins Maven Metadata Plugin for Jenkins CI server Plugin 2.2 and earlier does not perform URL validation for the Repository Base URL of List maven artifact versions parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
Remediation
References
http://www.openwall.com/lists/oss-security/2022/07/27/1
https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-2686
Related Vulnerabilities
CVE-2023-37965 Vulnerability in maven package org.jenkins-ci.plugins:elasticbox
CVE-2022-24999 Vulnerability in maven package org.webjars.npm:qs
CVE-2022-45690 Vulnerability in maven package cn.hutool:hutool-json
CVE-2018-1000644 Vulnerability in maven package org.eclipse.rdf4j:rdf4j-rio-rdfxml
CVE-2022-36893 Vulnerability in maven package org.jenkins-ci.plugins:rpmsign-plugin