PT-2022-19380 · Jenkins · Jenkins Git Parameter Plugin+1
Published
2022-04-12
·
Updated
2023-11-17
·
CVE-2022-29040
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins Git Parameter Plugin versions 0.9.15 and earlier
Description
The issue results in a stored cross-site scripting (XSS) vulnerability. This occurs because the name and description of Git parameters on views displaying parameters are not escaped. Attackers with Item/Configure permission can exploit this.
Recommendations
For Jenkins Git Parameter Plugin versions 0.9.15 and earlier, update to a version that fixes the stored cross-site scripting vulnerability.
As a temporary workaround, consider restricting access to views displaying parameters to minimize the risk of exploitation.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Git Parameter Plugin