CVE-2022-30956

Name of the Vulnerable Software and Affected Versions Jenkins Rundeck Plugin versions 3.6.10 and earlier

Description The issue is related to a stored cross-site scripting (XSS) vulnerability. It occurs because the Jenkins Rundeck Plugin does not restrict URL schemes in Rundeck webhook submissions, allowing attackers to submit crafted Rundeck webhook payloads. This can be exploited by attackers who can submit these payloads.

Recommendations For versions 3.6.10 and earlier, update to version 3.6.11 or later, which sanitizes URLs submitted in Rundeck webhook payloads. As a temporary workaround, consider restricting access to Rundeck webhook submissions to minimize the risk of exploitation.