PT-2022-25740 · Jenkins · Jenkins Anchore Container Image Scanner Plugin+1
Daniel Beck
·
Published
2022-09-21
·
Updated
2023-11-01
·
CVE-2022-41225
CVSS v3.1
8.0
High
| Vector | AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Jenkins Anchore Container Image Scanner Plugin versions 1.0.24 and earlier
Description
The issue is related to a stored cross-site scripting (XSS) vulnerability. It occurs because the plugin does not escape content provided by the Anchore engine API, making it exploitable by attackers who can control API responses from the Anchore engine.
Recommendations
For Jenkins Anchore Container Image Scanner Plugin versions 1.0.24 and earlier, update to a version later than 1.0.24 to resolve the issue. As a temporary workaround, consider restricting access to the Anchore engine API to minimize the risk of exploitation.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Anchore Container Image Scanner Plugin