GHSA-64r9-x74q-wxmh
Suggest an improvement- Source
- https://github.com/advisories/GHSA-64r9-x74q-wxmh
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-64r9-x74q-wxmh/GHSA-64r9-x74q-wxmh.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-64r9-x74q-wxmh
- Aliases
-
- CVE-2022-43409
- Published
- 2022-10-19T19:00:22Z
- Modified
- 2024-02-16T08:15:09.093959Z
- Severity
-
- 8.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Stored XSS vulnerability in Jenkins Pipeline: Supporting APIs Plugin
- Details
-
Pipeline: Supporting APIs Plugin provides a feature to add hyperlinks, that send POST requests when clicked, to build logs. These links are used by Pipeline: Input Step Plugin to allow users to proceed or abort the build, or by Pipeline: Job Plugin to allow users to forcibly terminate the build after aborting it.
Pipeline: Supporting APIs Plugin 838.va3a087b_4055b and earlier does not sanitize or properly encode URLs of these hyperlinks in build logs.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create Pipelines.
Pipeline: Supporting APIs Plugin 839.v35e2736cfd5c properly encodes URLs of these hyperlinks in build logs.
- Database specific
{ "nvd_published_at": "2022-10-19T16:15:00Z", "cwe_ids": [ "CWE-79" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2022-10-19T22:22:35Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2022-43409
- https://github.com/jenkinsci/workflow-support-plugin/commit/35e2736cfd5c56799eece176328906d92b6a0dd1
- https://github.com/jenkinsci/workflow-support-plugin
- https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2881
- http://www.openwall.com/lists/oss-security/2022/10/19/3
Affected packages
Maven / org.jenkins-ci.plugins.workflow:workflow-support
Package
- Name
- org.jenkins-ci.plugins.workflow:workflow-support
- View open source insights on deps.dev
- Purl
- pkg:maven/org.jenkins-ci.plugins.workflow/workflow-support
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed839.v35e2736cfd5c
Affected versions
0.*
0.1-beta-1
0.1-beta-2
0.1-beta-3
0.1-beta-4
0.1-beta-5
0.1-beta-6
0.1-beta-7
0.1-beta-8
1.*
1.0-beta-1
1.0
1.1
1.2
1.3
1.4
1.4.1
1.4.2
1.4.3-beta-1
1.4.3
1.5
1.6-alpha-1
1.6
1.7-alpha-1
1.7
1.8
1.9-beta-1
1.9
1.10-beta-1
1.10
1.10.1
1.11-beta-1
1.11-beta-2
1.11-beta-3
1.11-beta-4
1.11
1.12-beta-1
1.12-beta-2
1.12-beta-3
1.12
1.13
1.14-beta-1
1.14
1.14.1-beta-1
1.14.1
1.14.2
1.15-beta-1
1.15
2.*
2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.8
2.9
2.10
2.11
2.12
2.13
2.14
2.15
2.16
2.17
2.17-durability-beta-1
2.17-durability-beta-2
2.17-durability-beta-3
2.18
2.19
2.20
2.21-beta-1
2.21
2.22
2.23
2.24
3.*
3.0
3.0-java11-alpha-1
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
792.*
792.v1a3cd6ade3ef
804.*
804.vba10a18a1476
813.*
813.vb_d7c3d2984a_0
815.*
815.vd60466279fc8
817.*
817.v58126df57338
818.*
818.v4eb_969241b_c7
819.*
819.v37d707a_71d9b_
820.*
820.vd1a_6cc65ef33
827.*
827.v7ef666c4d65c
827.829.v01c0a_3d76c4f
833.*
833.va_1c71061486b_
838.*
838.va_3a_087b_4055b