GHSA-p86x-75j8-w4xh

Опубликовано: 12 дек. 2022

Источник: github

Github: Прошло ревью

CVSS3: 7.5

Описание

Stored XSS vulnerability in Jenkins Checkmarx Plugin

heckmarx Plugin processes Checkmarx service API responses and generates HTML reports from them for rendering on the Jenkins UI.

Checkmarx Plugin 2022.3.3 and earlier does not escape values returned from the Checkmarx service API before inserting them into HTML reports. This results in a stored cross-site scripting (XSS) vulnerability.

While Jenkins users without Overall/Administer permission are not allowed to configure the URL to the Checkmarx service, this could still be exploited via man-in-the-middle attacks.

Checkmarx Plugin 2022.4.3 escapes values returned from the Checkmarx service API before inserting them into HTML reports.

Ссылки

Пакеты

Наименование

com.checkmarx.jenkins:checkmarx

maven

Затронутые версииВерсия исправления

<= 2022.3.3

2022.4.3

EPSS

Процентиль: 92%

0.09268

Низкий

7.5 High

CVSS3

CVE ID

CVE-2022-46684

Дефекты

CWE-79

Связанные уязвимости

CVE-2022-46684

CVSS3: 5.4

nvd

около 3 лет назад

Jenkins Checkmarx Plugin 2022.3.3 and earlier does not escape values returned from the Checkmarx service API before inserting them into HTML reports, resulting in a stored cross-site scripting (XSS) vulnerability.

EPSS

Процентиль: 92%

0.09268

Низкий

7.5 High

CVSS3

CVE ID

CVE-2022-46684

Дефекты

CWE-79