PT-2022-27950 · Jenkins · Jenkins Custom Build Properties Plugin+1
Kevin Guerroudj
+1
·
Published
2022-12-07
·
Updated
2022-12-12
·
CVE-2022-46686
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins Custom Build Properties Plugin versions 2.79.vc095ccc85094 and earlier
Description
The issue results in a stored cross-site scripting (XSS) vulnerability due to the plugin not escaping property values and build display names on the Custom Build Properties and Build Summary pages. This makes it exploitable by attackers who can set or change these values.
Recommendations
For versions 2.79.vc095ccc85094 and earlier, update to version 2.82.v16d5b d3590c7 or later, which escapes property values and build display names on the Custom Build Properties and Build Summary pages.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Custom Build Properties Plugin