GHSA-hqmp-vxj7-5wpq

Опубликовано: 01 июл. 2022

Источник: github

Github: Прошло ревью

CVSS3: 8

Описание

Cross-site Scripting in Jenkins Validating Email Parameter Plugin

Jenkins Validating Email Parameter Plugin 1.10 and earlier does not escape the name and description of its parameter type.

Additionally, it disables the security hardening added in Jenkins 2.44 and LTS 2.32.2 as part of the SECURITY-353 / CVE-2017-2601 fix that protects the "Build With Parameters" and "Parameters" pages from vulnerabilities like this by default.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Ссылки

Пакеты

Наименование

io.jenkins.plugins:validating-email-parameter

maven

Затронутые версииВерсия исправления

<= 1.10

Отсутствует

EPSS

Процентиль: 94%

0.14252

Средний

8 High

CVSS3

CVE ID

CVE-2022-34791

Дефекты

CWE-79

Связанные уязвимости

CVE-2022-34791

CVSS3: 5.4

nvd

больше 3 лет назад

Jenkins Validating Email Parameter Plugin 1.10 and earlier does not escape the name and description of its parameter type, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

EPSS

Процентиль: 94%

0.14252

Средний

8 High

CVSS3

CVE ID

CVE-2022-34791

Дефекты

CWE-79