GHSA-hw55-f8wc-82m6

Source

https://github.com/advisories/GHSA-hw55-f8wc-82m6

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-hw55-f8wc-82m6/GHSA-hw55-f8wc-82m6.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-hw55-f8wc-82m6

Aliases

CVE-2019-10406

Published

2022-05-24T22:00:44Z

Modified

2023-11-01T04:50:03.419576Z

Severity

4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

Improper Neutralization of Input During Web Page Generation in Jenkins

Details

Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not restrict or filter values set as Jenkins URL in the global configuration, resulting in a stored XSS vulnerability exploitable by attackers with Overall/Administer permission.

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-28T16:13:15Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "nvd_published_at": "2019-09-25T16:15:00Z",
    "severity": "MODERATE"
}

References

Affected packages

Maven / org.jenkins-ci.main:jenkins-core

Package

Name: org.jenkins-ci.main:jenkins-core; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.main/jenkins-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.176.4

Database specific

last_known_affected_version_range

"<= 2.176.3"

Maven / org.jenkins-ci.main:jenkins-core

Package

Name: org.jenkins-ci.main:jenkins-core; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.main/jenkins-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.177

Fixed

2.197

Database specific

last_known_affected_version_range

"<= 2.196"