CVE-2022-29041

Jenkins Jira Plugin 3.7 and earlier, except 3.6.1, does not escape the name and description of Jira Issue and Jira Release Version parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

References

https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-2617

Affected packages

Git / github.com/jenkinsci/jira-plugin

Affected ranges

Type

GIT

Repo

https://github.com/jenkinsci/jira-plugin

Events

Introduced

Fixed

741752414b9655898d4a6c343658418c774b4879

Introduced

Last affected

64fa699e708385ce85b53f41063044e5f3b3bb7f

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.6.1"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "3.7"
        }
    ]
}

Affected versions

3.*

3.0.12

jira-1.*

jira-1.26

jira-1.27

jira-1.28

jira-1.29

jira-1.30

jira-1.31

jira-1.32

jira-1.33

jira-1.34

jira-1.35

jira-1.36

jira-1.37

jira-1.38

jira-1.39

jira-1.40

jira-1.41

jira-2.*

jira-2.0

jira-2.1

jira-2.2

jira-2.2.1

jira-2.3

jira-2.4

jira-2.4.2

jira-2.5

jira-2.5.1

jira-2.5.2

jira-3.*

jira-3.0.0

jira-3.0.1

jira-3.0.10

jira-3.0.11

jira-3.0.12

jira-3.0.13

jira-3.0.14

jira-3.0.15

jira-3.0.16

jira-3.0.17

jira-3.0.18

jira-3.0.2

jira-3.0.3

jira-3.0.4

jira-3.0.5

jira-3.0.6

jira-3.0.7

jira-3.0.8

jira-3.0.9

jira-3.1.0

jira-3.1.1

jira-3.1.2

jira-3.1.3

jira-3.2

jira-3.2.1

jira-3.3

jira-3.4

jira-3.5

jira-3.6

jira-3.7

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-29041.json"