Описание
Stored XSS vulnerability in Matrix Project Plugin
Jenkins Matrix Project Plugin prior to 1.20 and 1.18.1 does not escape HTML metacharacters in node and label names, and label descriptions.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.
Matrix Project Plugin 1.20 and 1.18.1 escapes HTML metacharacters in node and label names, and label descriptions.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2022-20615
- https://github.com/jenkinsci/matrix-project-plugin/commit/78cc60556304965ffb2dd8c017bf61d4f153f5ea
- https://github.com/CVEProject/cvelist/blob/2d78eb36f4d084db7fb35f1535d8d84fdcb7d859/2022/20xxx/CVE-2022-20615.json
- https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2017
- https://www.oracle.com/security-alerts/cpuapr2022.html
- http://www.openwall.com/lists/oss-security/2022/01/12/6
Пакеты
org.jenkins-ci.plugins:matrix-project
= 1.19
1.20
org.jenkins-ci.plugins:matrix-project
< 1.18.1
1.18.1
Связанные уязвимости
Jenkins Matrix Project Plugin 1.19 and earlier does not escape HTML metacharacters in node and label names, and label descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.
Jenkins Matrix Project Plugin 1.19 and earlier does not escape HTML metacharacters in node and label names, and label descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.