Описание
Jenkins Sonargraph Integration Plugin 5.0.1 and earlier does not escape the file path and the project name for the Log file field form validation, resulting in a stored cross-site scripting vulnerability exploitable by attackers with Item/Configure permission.
A flaw was found in the Jenkins Sonargraph Integration Plugin, where it is vulnerable to Cross-site scripting caused by the improper validation of user-supplied input. This flaw allows a remote, authenticated attacker to inject malicious script into a Web page, which would be executed in a victim's Web browser within the security context of the hosting Web site once the page is viewed, and steal the victim's cookie-based authentication credentials.
Отчет
The Jenkins Sonargraph Integration Plugin is not shipped in any of the Red Hat products. Hence, Red Hat Products are not affected.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Cryostat 2 | jenkins-2-plugins | Not affected | ||
| Node HealthCheck Operator | jenkins-2-plugins | Not affected | ||
| OpenShift Developer Tools and Services | jenkins-2-plugins | Not affected | ||
| Red Hat OpenShift Container Platform 3.11 | jenkins-2-plugins | Not affected | ||
| Red Hat OpenShift Container Platform 4 | jenkins-2-plugins | Not affected |
Показывать по
Дополнительная информация
Статус:
8 High
CVSS3
Связанные уязвимости
Jenkins Sonargraph Integration Plugin 5.0.1 and earlier does not escape the file path and the project name for the Log file field form validation, resulting in a stored cross-site scripting vulnerability exploitable by attackers with Item/Configure permission.
Jenkins Sonargraph Integration Plugin vulnerable to Stored Cross-site Scripting
8 High
CVSS3