Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWp3aG0tOWNqbS00NDkz
Cross-site Scripting in Jenkins Dashboard View Plugin
Jenkins Dashboard View Plugin prior to 2.16 and 2.12.1 does not escape URLs referenced in Image Dashboard Portlets, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with View/Configure permission.
As part of this fix, the property for image URLs was changed from url to imageUrl. Existing Configuration as Code configurations are still supported, but exports will emit the new property.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWp3aG0tOWNqbS00NDkz
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 3 years ago
Updated: 5 months ago
CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-jwhm-9cjm-4493, CVE-2021-21649
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-21649
- https://www.jenkins.io/security/advisory/2021-05-11/#SECURITY-2233
- https://github.com/CVEProject/cvelist/blob/2d78eb36f4d084db7fb35f1535d8d84fdcb7d859/2021/21xxx/CVE-2021-21649.json
- https://github.com/jenkinsci/dashboard-view-plugin/commit/586817b081d903e47cfdd05b96b8aae1d2c2700b
- https://github.com/advisories/GHSA-jwhm-9cjm-4493
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.plugins:dashboard-view
Affected Version Ranges: < 2.12.1, >= 2.13, < 2.16Fixed in: 2.12.1, 2.16