GHSA-hqmp-vxj7-5wpq

Suggest an improvement
Source
https://github.com/advisories/GHSA-hqmp-vxj7-5wpq
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-hqmp-vxj7-5wpq/GHSA-hqmp-vxj7-5wpq.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-hqmp-vxj7-5wpq
Aliases
  • CVE-2022-34791
Published
2022-07-01T00:01:07Z
Modified
2023-11-08T04:09:47.312635Z
Severity
  • 8.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Cross-site Scripting in Jenkins Validating Email Parameter Plugin
Details

Jenkins Validating Email Parameter Plugin 1.10 and earlier does not escape the name and description of its parameter type.

Additionally, it disables the security hardening added in Jenkins 2.44 and LTS 2.32.2 as part of the SECURITY-353 / CVE-2017-2601 fix that protects the \"Build With Parameters\" and \"Parameters\" pages from vulnerabilities like this by default.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Database specific 
{
    "nvd_published_at": "2022-06-30T18:15:00Z",
    "github_reviewed_at": "2022-07-12T18:20:00Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-79"
    ]
}
References

Affected packages

Maven / io.jenkins.plugins:validating-email-parameter

Package

Name
io.jenkins.plugins:validating-email-parameter
View open source insights on deps.dev
Purl
pkg:maven/io.jenkins.plugins/validating-email-parameter

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
1.10

Affected versions

1.*

1.8
1.10