GHSA-hg2w-3c4j-jjwm

Suggest an improvement
Source
https://github.com/advisories/GHSA-hg2w-3c4j-jjwm
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-hg2w-3c4j-jjwm/GHSA-hg2w-3c4j-jjwm.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-hg2w-3c4j-jjwm
Aliases
Published
2022-05-24T17:43:00Z
Modified
2023-11-01T04:54:17.923677Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
Stored XSS vulnerability in Jenkins Repository Connector Plugin
Details

Jenkins Repository Connector Plugin 2.0.2 and earlier does not escape parameter names and descriptions for past builds.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Jenkins Repository Connector Plugin 2.0.3 escapes parameter names and descriptions when creating new parameters.

Database specific
{
    "nvd_published_at": "2021-02-24T16:15:00Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-13T18:55:30Z"
}
References

Affected packages

Maven / org.jenkins-ci.plugins:repository-connector

Package

Name
org.jenkins-ci.plugins:repository-connector
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.plugins/repository-connector

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.3

Affected versions

1.*

1.0.0
1.0.1
1.1.0
1.1.1
1.1.2
1.1.3
1.2.3
1.2.4
1.2.5
1.2.6
1.3.1

2.*

2.0.0
2.0.1
2.0.2

Database specific

{
    "last_known_affected_version_range": "<= 2.0.2"
}