Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS02Zmc0LTM2djcteHYzMs0y_g
Stored Cross-site Scripting vulnerability in Jenkins Dashboard View Plugin
Jenkins Dashboard View Plugin 2.18 and earlier does not perform URL validation for the Iframe Portlet's Iframe source URL, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure views.
Dashboard View Plugin 2.18.1 performs URL validation for the Iframe Portlet’s Iframe source URL.
Additionally, Dashboard View Plugin 2.18.1 sets the sandbox attribute for the iframe to restrict the included page.
In case of problems, the Java system property hudson.plugins.view.dashboard.core.IframePortlet.sandboxAttributeValue can be used to customize the sandbox attribute value. The Java system property hudson.plugins.view.dashboard.core.IframePortlet.doNotUseSandbox can be used to disable the sandbox completely.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02Zmc0LTM2djcteHYzMs0y_g
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: 6 months ago
CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-6fg4-36v7-xv32, CVE-2022-27197
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-27197
- https://www.jenkins.io/security/advisory/2022-03-15/#SECURITY-2559
- http://www.openwall.com/lists/oss-security/2022/03/15/2
- https://github.com/jenkinsci/dashboard-view-plugin/commit/942c5c78fa834a6be242f144adc2b7f045ccdbc3
- https://github.com/advisories/GHSA-6fg4-36v7-xv32
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.plugins:dashboard-view
Affected Version Ranges: < 2.18.1Fixed in: 2.18.1