PT-2021-14703 · Jenkins · Jenkins Markdown Formatter Plugin+1
Published
2021-05-25
·
Updated
2023-11-03
·
CVE-2021-21660
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins Markdown Formatter Plugin versions 0.1.0 and earlier
Description
The issue results from the plugin's failure to sanitize crafted link target URLs, leading to a stored cross-site scripting (XSS) vulnerability. This vulnerability can be exploited by attackers who have the ability to edit descriptions rendered using the configured markup formatter. The plugin uses a Markdown library that does not escape crafted link target URLs, causing the vulnerability.
Recommendations
For Jenkins Markdown Formatter Plugin versions 0.1.0 and earlier, update to version 0.2.0 or later, which uses a different Markdown library that is not affected by this problem.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Markdown Formatter Plugin