GHSA-38ch-x695-m794

Source

https://github.com/advisories/GHSA-38ch-x695-m794

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-38ch-x695-m794/GHSA-38ch-x695-m794.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-38ch-x695-m794

Aliases

CVE-2018-1000202

Published

2022-05-14T03:13:13Z

Modified

2023-11-08T03:59:37.482424Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

Jenkins Groovy Postbuild Plugin vulnerable to Cross-site Scripting

Details

A persisted cross-site scripting vulnerability exists in Jenkins Groovy Postbuild Plugin 2.3.1 and older in various Jelly files that allows attackers able to control build badge content to define JavaScript that would be executed in another user's browser when that other user performs some UI actions.

Database specific

{
    "nvd_published_at": "2018-06-05T21:29:00Z",
    "github_reviewed_at": "2022-11-22T19:45:11Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-79"
    ]
}

References

Affected packages

Maven / org.jvnet.hudson.plugins:groovy-postbuild

Package

Name: org.jvnet.hudson.plugins:groovy-postbuild; View open source insights on deps.dev
Purl: pkg:maven/org.jvnet.hudson.plugins/groovy-postbuild

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.4

Affected versions

1.*

1.2

1.3

1.4

1.5

1.6

1.7

1.8

1.9

1.10

2.*

2.0

2.1

2.2

2.2.1

2.2.2

2.3

2.3.1

Database specific

{
    "last_known_affected_version_range": "<= 2.3.1"
}