GHSA-w43x-5f8f-686p

Source
https://github.com/advisories/GHSA-w43x-5f8f-686p
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-w43x-5f8f-686p/GHSA-w43x-5f8f-686p.json
Aliases
Published
2022-05-24T17:23:39Z
Modified
2024-02-16T08:15:32.086134Z
Details

Matrix Project Plugin 1.16 and earlier does not escape the axis names shown in tooltips on the overview page of builds with multiple axes. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission.

Matrix Project Plugin 1.17 escapes the axis names shown in these tooltips.

References

Affected packages

Maven / org.jenkins-ci.plugins:matrix-project

Package

Name
org.jenkins-ci.plugins:matrix-project

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0The exact introduced commit is unknown
Fixed
1.17

Affected versions

1.*

1.0-beta-1
1.0
1.1
1.2
1.2.1
1.3
1.4
1.4.1
1.5
1.6
1.7
1.7.1
1.8
1.9
1.10
1.11
1.12
1.13
1.14
1.14.1
1.15
1.16

Database specific

{
    "last_known_affected_version_range": "<= 1.16"
}