GHSA-62wf-24c4-8r76

Suggest an improvement
Source
https://github.com/advisories/GHSA-62wf-24c4-8r76
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-62wf-24c4-8r76/GHSA-62wf-24c4-8r76.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-62wf-24c4-8r76
Aliases
Published
2022-06-24T00:00:31Z
Modified
2024-03-13T18:15:50.908171Z
Severity
  • 8.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Cross-site Scripting vulnerability in Jenkins
Details

Since Jenkins 2.320 and LTS 2.332.1, help icon tooltips no longer escape the feature name, effectively undoing the fix for SECURITY-1955.

This vulnerability is known to be exploitable by attackers with Job/Configure permission.

Jenkins 2.356, LTS 2.332.4 and LTS 2.346.1 addresses this vulnerability, the feature name in help icon tooltips is now escaped.

Database specific
{
    "nvd_published_at": "2022-06-23T17:15:00Z",
    "cwe_ids": [
        "CWE-22",
        "CWE-79"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-06T00:12:32Z"
}
References

Affected packages

Maven / org.jenkins-ci.main:jenkins-core

Package

Name
org.jenkins-ci.main:jenkins-core
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.main/jenkins-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.350
Fixed
2.356

Affected versions

2.*

2.350
2.354
2.355

Maven / org.jenkins-ci.main:jenkins-core

Package

Name
org.jenkins-ci.main:jenkins-core
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.main/jenkins-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.320
Fixed
2.332.4

Affected versions

2.*

2.320
2.321
2.322
2.323
2.324
2.325
2.326
2.327
2.328
2.329
2.330
2.331
2.332
2.332.1
2.332.2
2.332.3

Maven / org.jenkins-ci.main:jenkins-core

Package

Name
org.jenkins-ci.main:jenkins-core
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.main/jenkins-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.346
Fixed
2.346.1

Affected versions

2.*

2.346