GHSA-hv48-hgp6-xpqf

Suggest an improvement
Source
https://github.com/advisories/GHSA-hv48-hgp6-xpqf
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-hv48-hgp6-xpqf/GHSA-hv48-hgp6-xpqf.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-hv48-hgp6-xpqf
Aliases
Published
2023-08-16T15:30:18Z
Modified
2023-11-11T05:20:00.758559Z
Severity
  • 8.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Jenkins Flaky Test Handler Plugin stored cross-site scripting vulnerability
Details

Jenkins Flaky Test Handler Plugin 1.2.2 and earlier does not escape JUnit test contents when showing them on the Jenkins UI.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control JUnit report file contents.

Flaky Test Handler Plugin 1.2.3 escapes JUnit test contents when showing them on the Jenkins UI.

Database specific
{
    "nvd_published_at": "2023-08-16T15:15:11Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-16T21:12:56Z"
}
References

Affected packages

Maven / org.jenkins-ci.plugins:flaky-test-handler

Package

Name
org.jenkins-ci.plugins:flaky-test-handler
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.plugins/flaky-test-handler

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.3

Affected versions

1.*

1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.1.0
1.2.0
1.2.1
1.2.2