GHSA-jwhm-9cjm-4493
Suggest an improvement- Source
- https://github.com/advisories/GHSA-jwhm-9cjm-4493
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-jwhm-9cjm-4493/GHSA-jwhm-9cjm-4493.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-jwhm-9cjm-4493
- Aliases
- Published
- 2021-06-16T17:24:41Z
- Modified
- 2024-02-16T08:22:12.555351Z
- Severity
-
- 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- Cross-site Scripting in Jenkins Dashboard View Plugin
- Details
-
Jenkins Dashboard View Plugin prior to 2.16 and 2.12.1 does not escape URLs referenced in Image Dashboard Portlets, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with View/Configure permission.
As part of this fix, the property for image URLs was changed from
urltoimageUrl. Existing Configuration as Code configurations are still supported, but exports will emit the new property. - Database specific
{ "nvd_published_at": "2021-05-11T15:15:00Z", "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2021-05-19T19:16:07Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2021-21649
- https://github.com/jenkinsci/dashboard-view-plugin/commit/586817b081d903e47cfdd05b96b8aae1d2c2700b
- https://github.com/CVEProject/cvelist/blob/2d78eb36f4d084db7fb35f1535d8d84fdcb7d859/2021/21xxx/CVE-2021-21649.json
- https://github.com/jenkinsci/dashboard-view-plugin
- https://www.jenkins.io/security/advisory/2021-05-11/#SECURITY-2233
Affected packages
Maven / org.jenkins-ci.plugins:dashboard-view
Package
- Name
- org.jenkins-ci.plugins:dashboard-view
- View open source insights on deps.dev
- Purl
- pkg:maven/org.jenkins-ci.plugins/dashboard-view
Maven / org.jenkins-ci.plugins:dashboard-view
Package
- Name
- org.jenkins-ci.plugins:dashboard-view
- View open source insights on deps.dev
- Purl
- pkg:maven/org.jenkins-ci.plugins/dashboard-view