PT-2022-4040 · Jenkins · Jenkins Dynamic Extended Choice Parameter Plugin+1
Published
2022-07-27
·
Updated
2023-11-02
·
CVE-2022-36902
CVSS v3.1
8.0
High
| Vector | AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Jenkins Dynamic Extended Choice Parameter Plugin versions 1.0.1 and earlier
Description
The issue exists due to inadequate protection of the web page structure, allowing a remote attacker to conduct a cross-site scripting (XSS) attack. This stored XSS vulnerability can be exploited by attackers with Item/Configure permission, as several fields of Moded Extended Choice parameters are not properly escaped.
Recommendations
For Jenkins Dynamic Extended Choice Parameter Plugin versions 1.0.1 and earlier, update to a version that properly escapes fields of Moded Extended Choice parameters to prevent stored XSS attacks.
As a temporary workaround, consider restricting access to the Item/Configure permission to minimize the risk of exploitation.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Dynamic Extended Choice Parameter Plugin