Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1mOWdmLTJxODctNW00NM4AAqqe
Stored XSS vulnerability in Jenkins Scriptler Plugin
Jenkins Scriptler Plugin 3.3 and earlier does not escape the name of scripts on the UI when asking to confirm their deletion.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create Scriptler scripts.
Jenkins Scriptler Plugin 3.4 escapes the name of scripts on the UI when asking to confirm their deletion.
Permalink: https://github.com/advisories/GHSA-f9gf-2q87-5m44JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mOWdmLTJxODctNW00NM4AAqqe
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 5 months ago
CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-f9gf-2q87-5m44, CVE-2021-21700
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-21700
- https://www.jenkins.io/security/advisory/2021-11-12/#SECURITY-2406
- http://www.openwall.com/lists/oss-security/2021/11/12/1
- https://github.com/jenkinsci/scriptler-plugin/commit/7e4fa9b51f37714decca30a35dd81e41f72aec93
- https://github.com/advisories/GHSA-f9gf-2q87-5m44
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.plugins:scriptler
Affected Version Ranges: <= 3.3Fixed in: 3.4