GHSA-cj9j-v8jp-6hm9

Source

https://github.com/advisories/GHSA-cj9j-v8jp-6hm9

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-cj9j-v8jp-6hm9/GHSA-cj9j-v8jp-6hm9.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-cj9j-v8jp-6hm9

Aliases

CVE-2022-30970

Published

2022-05-18T00:00:42Z

Modified

2023-11-08T04:09:21.859659Z

Severity

8.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Cross-site Scripting in Jenkins Autocomplete Parameter Plugin

Details

Jenkins Autocomplete Parameter Plugin 1.1 and earlier references Dropdown Autocomplete parameter and Auto Complete String parameter names in an unsafe manner from Javascript embedded in view definitions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

While this looks similar to SECURITY-2729, this is an independent problem and exploitable even on views rendering parameters that otherwise attempt to prevent XSS vulnerabilities in parameter names.

Database specific

{
    "nvd_published_at": "2022-05-17T15:15:00Z",
    "github_reviewed_at": "2022-06-01T21:17:20Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-79"
    ]
}

References

Affected packages

Maven / org.jenkins-ci.plugins:autocomplete-parameter

Package

Name: org.jenkins-ci.plugins:autocomplete-parameter; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/autocomplete-parameter

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

1.1

Affected versions

1.*

1.0

1.1