Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1wODZ4LTc1ajgtdzR4aM4AAwPl
Stored XSS vulnerability in Jenkins Checkmarx Plugin
heckmarx Plugin processes Checkmarx service API responses and generates HTML reports from them for rendering on the Jenkins UI.
Checkmarx Plugin 2022.3.3 and earlier does not escape values returned from the Checkmarx service API before inserting them into HTML reports. This results in a stored cross-site scripting (XSS) vulnerability.
While Jenkins users without Overall/Administer permission are not allowed to configure the URL to the Checkmarx service, this could still be exploited via man-in-the-middle attacks.
Checkmarx Plugin 2022.4.3 escapes values returned from the Checkmarx service API before inserting them into HTML reports.
Permalink: https://github.com/advisories/GHSA-p86x-75j8-w4xhJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wODZ4LTc1ajgtdzR4aM4AAwPl
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: about 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Identifiers: GHSA-p86x-75j8-w4xh, CVE-2022-46684
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-46684
- https://www.jenkins.io/security/advisory/2022-12-07/#SECURITY-2869
- https://github.com/advisories/GHSA-p86x-75j8-w4xh
Affected Packages
maven:com.checkmarx.jenkins:checkmarx
Affected Version Ranges: <= 2022.3.3Fixed in: 2022.4.3