PT-2022-27951 · Jenkins · Jenkins Spring Config Plugin+1
Valdes Che Zogou
+1
·
Published
2022-12-07
·
Updated
2022-12-12
·
CVE-2022-46687
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins Spring Config Plugin versions 2.0.0 and earlier
Description
The issue is a stored cross-site scripting (XSS) vulnerability. It occurs because build display names shown on the Spring Config view are not escaped, allowing attackers who can change build display names to exploit this vulnerability.
Recommendations
For Jenkins Spring Config Plugin versions 2.0.0 and earlier, update to version 2.0.1 or later, which escapes build display names shown on the Spring Config view, thus resolving the issue.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Spring Config Plugin