GHSA-gghc-g8cj-4vfv

Suggest an improvement
Source
https://github.com/advisories/GHSA-gghc-g8cj-4vfv
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-gghc-g8cj-4vfv/GHSA-gghc-g8cj-4vfv.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-gghc-g8cj-4vfv
Aliases
Published
2022-05-24T19:16:59Z
Modified
2024-01-02T05:58:15.234681Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
Stored XSS vulnerability in Jenkins Git Plugin
Details

Jenkins Git Plugin 4.8.2 and earlier does not escape the Git SHA-1 checksum parameters provided to commit notifications when displaying them in a build cause.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to submit crafted commit notifications to the /git/notifyCommit endpoint.

Jenkins Git Plugin 4.8.3 rejects Git SHA-1 checksum parameters that do not match the expected format. Existing values are sanitized when displayed on the UI.

This vulnerability is only exploitable in Jenkins 2.314 and earlier, LTS 2.303.1 and earlier. See the LTS upgrade guide.

Database specific
{
    "nvd_published_at": "2021-10-06T23:15:00Z",
    "cwe_ids": [
        "CWE-116",
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-15T17:36:30Z"
}
References

Affected packages

Maven / org.jenkins-ci.plugins:git

Package

Name
org.jenkins-ci.plugins:git
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.plugins/git

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.8.3

Affected versions

1.*

1.2.0
1.3.0
1.4.0
1.5.0
1.6.0-beta-1

2.*

2.0-beta-2
2.0-beta-3
2.0
2.0.1
2.0.2
2.0.3
2.0.4
2.1.0
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.2.9
2.2.10
2.2.11
2.2.12
2.3-beta-1
2.3-beta-2
2.3-beta-3
2.3-beta-4
2.3
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.5.0-beta1
2.5.0-beta2
2.5.0-beta3
2.5.0-beta4
2.5.0-beta5
2.5.0
2.5.1
2.5.2
2.5.3
2.6.0
2.6.1
2.6.2-beta-1
2.6.2-beta-2
2.6.2
2.6.4
2.6.5

3.*

3.0.0-beta1
3.0.0-beta2
3.0.0
3.0.1
3.0.2-beta-1
3.0.2-beta-2
3.0.2
3.0.3
3.0.4
3.0.5
3.1.0
3.2.0
3.3.0
3.3.1
3.3.2
3.4.0-alpha-1
3.4.0-alpha-4
3.4.0-beta-1
3.4.0-beta-2
3.4.0
3.4.1
3.5.0
3.5.1
3.6.0
3.6.1
3.6.2
3.6.3
3.6.4
3.7.0
3.8.0
3.9.0
3.9.1
3.9.2
3.9.3
3.9.4
3.10.0-beta-1
3.10.0
3.10.0.1
3.10.1
3.11.0
3.12.0
3.12.1
3.12.2

4.*

4.0.0-beta1
4.0.0-beta2
4.0.0-beta3
4.0.0-beta4
4.0.0-beta7
4.0.0-beta8
4.0.0-beta9
4.0.0-beta10
4.0.0-beta11
4.0.0-beta12
4.0.0-rc
4.0.0
4.0.1
4.1.0-beta
4.1.0
4.1.1
4.2.0
4.2.1
4.2.2
4.3.0
4.3.1
4.4.0
4.4.1
4.4.2
4.4.3
4.4.4
4.4.5
4.5.0
4.5.1
4.5.2
4.6.0
4.7.0
4.7.1
4.7.1.1
4.7.2
4.8.0
4.8.1
4.8.2

Database specific

{
    "last_known_affected_version_range": "<= 4.8.2"
}