Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS02NHI5LXg3NHEtd3htaM4AAvdW
Stored XSS vulnerability in Jenkins Pipeline: Supporting APIs Plugin
Pipeline: Supporting APIs Plugin provides a feature to add hyperlinks, that send POST requests when clicked, to build logs. These links are used by Pipeline: Input Step Plugin to allow users to proceed or abort the build, or by Pipeline: Job Plugin to allow users to forcibly terminate the build after aborting it.
Pipeline: Supporting APIs Plugin 838.va_3a_087b_4055b and earlier does not sanitize or properly encode URLs of these hyperlinks in build logs.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create Pipelines.
Pipeline: Supporting APIs Plugin 839.v35e2736cfd5c properly encodes URLs of these hyperlinks in build logs.
Permalink: https://github.com/advisories/GHSA-64r9-x74q-wxmhJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02NHI5LXg3NHEtd3htaM4AAvdW
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: 4 months ago
CVSS Score: 8.0
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Identifiers: GHSA-64r9-x74q-wxmh, CVE-2022-43409
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-43409
- https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2881
- http://www.openwall.com/lists/oss-security/2022/10/19/3
- https://github.com/jenkinsci/workflow-support-plugin/commit/35e2736cfd5c56799eece176328906d92b6a0dd1
- https://github.com/advisories/GHSA-64r9-x74q-wxmh
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.plugins.workflow:workflow-support
Affected Version Ranges: < 839.v35e2736cfd5cFixed in: 839.v35e2736cfd5c