GHSA-5g2c-j6v9-vf94

Suggest an improvement
Source
https://github.com/advisories/GHSA-5g2c-j6v9-vf94
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-5g2c-j6v9-vf94/GHSA-5g2c-j6v9-vf94.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-5g2c-j6v9-vf94
Aliases
  • CVE-2022-46686
Published
2022-12-12T09:30:35Z
Modified
2023-11-01T05:00:28.019101Z
Severity
  • 8.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Jenkins Custom Build Properties Plugin vulnerable to Cross-site Scripting
Details

Jenkins Custom Build Properties Plugin 2.79.vc095ccc85094 and earlier does not escape property values and build display names on the Custom Build Properties and Build Summary pages, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to set or change these values. Custom Build Properties Plugin 2.82.v16d5b_d3590c7 escapes property values and build display names on the Custom Build Properties and Build Summary pages.

Database specific
{
    "nvd_published_at": "2022-12-12T09:15:00Z",
    "github_reviewed_at": "2022-12-12T22:16:49Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-79"
    ]
}
References

Affected packages

Maven / io.jenkins.plugins:custom-build-properties

Package

Name
io.jenkins.plugins:custom-build-properties
View open source insights on deps.dev
Purl
pkg:maven/io.jenkins.plugins/custom-build-properties

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.82.v16d5b