GHSA-fx9p-2qvx-pgjv

Suggest an improvement
Source
https://github.com/advisories/GHSA-fx9p-2qvx-pgjv
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-fx9p-2qvx-pgjv/GHSA-fx9p-2qvx-pgjv.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-fx9p-2qvx-pgjv
Aliases
Published
2022-05-24T16:47:43Z
Modified
2024-01-02T05:51:09.157544Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
Jenkins ElectricFlow Plugin is vulnerable to stored cross site scripting vulnerability
Details

The plugin adds metadata displayed on build pages during its operations.

Any user content was not escaped, resulting in a cross-site scripting vulnerability allowing users with Job/Configure permission, or attackers controlling API responses received from ElectricFlow to render arbitrary HTML and JavaScript on Jenkins build pages.

Build metadata is now filtered through a HTML formatter that only allows showing basic HTML, neutralizing any unsafe data. Additionally, all builds executed after the security update is applied will now properly escape content received from ElectricFlow.

Database specific
{
    "nvd_published_at": "2019-06-11T14:29:00Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-26T22:19:43Z"
}
References

Affected packages

Maven / org.jenkins-ci.plugins:electricflow

Package

Name
org.jenkins-ci.plugins:electricflow
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.plugins/electricflow

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.1.7

Affected versions

1.*

1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6

Database specific

{
    "last_known_affected_version_range": "<= 1.1.6"
}