CVE-2016-3101 — Cross-site Scripting in Jenkins Extra Columns

CWE-79 — Cross-site Scripting7 documents6 sources

Severity

5.4MEDIUMNVD

EPSS

0.2%

top 64.25%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Extra Columns Jenkins Extra Columns Plugin Jenkins Matrix Project Plugin +3 more

Timeline

PublishedFeb 9

Latest updateMay 13

Description

Cross-site scripting (XSS) vulnerability in the Extra Columns plugin before 1.17 in Jenkins allows remote attackers to inject arbitrary web script or HTML by leveraging failure to filter tool tips through the configured markup formatter.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages6 packages

▶jenkinsjenkins/extra_columns_plugin

▶NVDjenkins/extra_columns< 1.17

▶jenkinsjenkins/script_security_plugin

▶jenkinsjenkins/users_of_script_security_plugin

▶jenkinsjenkins/pipeline_plugin

🔴Vulnerability Details

GHSA

Jenkins Extra Columns Plugin allows Cross-Site Scripting (XSS)↗2022-05-13

▶

OSV

Jenkins Extra Columns Plugin allows Cross-Site Scripting (XSS)↗2022-05-13

▶

📋Vendor Advisories

Red Hat

jenkins: Stored XSS vulnerability in Extra Columns Plugin (SECURITY-136)↗2016-04-11

▶

Jenkins

Jenkins Security Advisory 2016-04-11↗2016-04-11

▶

💬Community

Bugzilla

CVE-2016-3101 jenkins: Stored XSS vulnerability in Extra Columns Plugin (SECURITY-136)↗2016-04-12

▶

Bugzilla

CVE-2016-3101 CVE-2016-3102 jenkins: various flaws [fedora-all]↗2016-04-12

▶