Описание
Cross-site Scripting in Jenkins Dashboard View Plugin
Jenkins Dashboard View Plugin prior to 2.16 and 2.12.1 does not escape URLs referenced in Image Dashboard Portlets, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with View/Configure permission.
As part of this fix, the property for image URLs was changed from url to imageUrl. Existing Configuration as Code configurations are still supported, but exports will emit the new property.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2021-21649
- https://github.com/jenkinsci/dashboard-view-plugin/commit/586817b081d903e47cfdd05b96b8aae1d2c2700b
- https://github.com/CVEProject/cvelist/blob/2d78eb36f4d084db7fb35f1535d8d84fdcb7d859/2021/21xxx/CVE-2021-21649.json
- https://www.jenkins.io/security/advisory/2021-05-11/#SECURITY-2233
Пакеты
org.jenkins-ci.plugins:dashboard-view
>= 2.13, < 2.16
2.16
org.jenkins-ci.plugins:dashboard-view
< 2.12.1
2.12.1
Связанные уязвимости
Jenkins Dashboard View Plugin 2.15 and earlier does not escape URLs referenced in Image Dashboard Portlets, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with View/Configure permission.