GHSA-jmxr-w2jc-qp7w

Suggest an improvement
Source
https://github.com/advisories/GHSA-jmxr-w2jc-qp7w
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-jmxr-w2jc-qp7w/GHSA-jmxr-w2jc-qp7w.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-jmxr-w2jc-qp7w
Aliases
Published
2022-04-13T00:00:16Z
Modified
2023-11-01T04:58:39.628784Z
Severity
  • 8.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Promotion names in Jenkins promoted builds Plugin are not validated when using Job DSL
Details

Jenkins promoted builds Plugin provides dedicated support for defining promotions using Job DSL Plugin.

promoted builds Plugin 873.v6149db_d64130 and earlier does not validate the names of promotions defined in Job DSL. This allows attackers with Job/Configure permission to create a promotion with an unsafe name. As a result, the promotion name could be used for cross-site scripting (XSS) or to replace other config.xml files.

promoted builds Plugin 876.v99d29788b36b and 3.10.1 validates the name of promotions.

Database specific
{
    "nvd_published_at": "2022-04-12T20:15:00Z",
    "cwe_ids": [
        "CWE-20",
        "CWE-79"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2022-04-22T21:07:53Z"
}
References

Affected packages

Maven / org.jenkins-ci.plugins:promoted-builds

Package

Name
org.jenkins-ci.plugins:promoted-builds
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.plugins/promoted-builds

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.10.1

Affected versions

2.*

2.0
2.1
2.2
2.3
2.3.1
2.4
2.5
2.6
2.6.1
2.6.2
2.7
2.8
2.9
2.10
2.11
2.12
2.13
2.14
2.15
2.16
2.17
2.18
2.19
2.20
2.21
2.22-beta1
2.22
2.23
2.23.1
2.24
2.24.1
2.25
2.26
2.27
2.28
2.28.1
2.29
2.29.1
2.30
2.31
2.31.1

3.*

3.0
3.1
3.2
3.3
3.4
3.5
3.5.1
3.6
3.7
3.9
3.9.1
3.10

Maven / org.jenkins-ci.plugins:promoted-builds

Package

Name
org.jenkins-ci.plugins:promoted-builds
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.plugins/promoted-builds

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.11
Fixed
876.v99d29788b

Affected versions

3.*

3.11

867.*

867.v7c3a_b_83a_eb_79

873.*

873.v6149db_d64130