GHSA-6fg4-36v7-xv32
Suggest an improvement- Source
- https://github.com/advisories/GHSA-6fg4-36v7-xv32
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-6fg4-36v7-xv32/GHSA-6fg4-36v7-xv32.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-6fg4-36v7-xv32
- Aliases
- Published
- 2022-03-16T00:00:45Z
- Modified
- 2024-02-16T08:20:11.623807Z
- Severity
-
- 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- Stored Cross-site Scripting vulnerability in Jenkins Dashboard View Plugin
- Details
-
Jenkins Dashboard View Plugin 2.18 and earlier does not perform URL validation for the Iframe Portlet's Iframe source URL, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure views.
Dashboard View Plugin 2.18.1 performs URL validation for the Iframe Portlet’s Iframe source URL. Additionally, Dashboard View Plugin 2.18.1 sets the sandbox attribute for the iframe to restrict the included page.
In case of problems, the Java system property
hudson.plugins.view.dashboard.core.IframePortlet.sandboxAttributeValuecan be used to customize the sandbox attribute value. The Java system propertyhudson.plugins.view.dashboard.core.IframePortlet.doNotUseSandboxcan be used to disable the sandbox completely. - Database specific
{ "nvd_published_at": "2022-03-15T17:15:00Z", "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2022-11-30T20:39:49Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2022-27197
- https://github.com/jenkinsci/dashboard-view-plugin/commit/942c5c78fa834a6be242f144adc2b7f045ccdbc3
- https://github.com/jenkinsci/dashboard-view-plugin
- https://www.jenkins.io/security/advisory/2022-03-15/#SECURITY-2559
- http://www.openwall.com/lists/oss-security/2022/03/15/2
Affected packages
Maven / org.jenkins-ci.plugins:dashboard-view
Package
- Name
- org.jenkins-ci.plugins:dashboard-view
- View open source insights on deps.dev
- Purl
- pkg:maven/org.jenkins-ci.plugins/dashboard-view