Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jajlqLXY4anAtNmhtOc4AAgZY
Cross-site Scripting in Jenkins Autocomplete Parameter Plugin
Jenkins Autocomplete Parameter Plugin 1.1 and earlier references Dropdown Autocomplete parameter and Auto Complete String parameter names in an unsafe manner from Javascript embedded in view definitions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
While this looks similar to SECURITY-2729, this is an independent problem and exploitable even on views rendering parameters that otherwise attempt to prevent XSS vulnerabilities in parameter names.
Permalink: https://github.com/advisories/GHSA-cj9j-v8jp-6hm9JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jajlqLXY4anAtNmhtOc4AAgZY
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: about 1 year ago
CVSS Score: 8.0
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Identifiers: GHSA-cj9j-v8jp-6hm9, CVE-2022-30970
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-30970
- https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2267
- https://github.com/advisories/GHSA-cj9j-v8jp-6hm9
Affected Packages
maven:org.jenkins-ci.plugins:autocomplete-parameter
Affected Version Ranges: <= 1.1No known fixed version