CVE-2022-29037
published 2022-04-12CVE-2022-29037: Jenkins CVS Plugin 2.19 and earlier does not escape the name and description of CVS Symbolic Name parameters on views displaying parameters, resulting in a…
PriorityP423medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.66%
47.0th percentile
Jenkins CVS Plugin 2.19 and earlier does not escape the name and description of CVS Symbolic Name parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
Affected
25 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | build_step_plugin | — | — |
| jenkins | coordinator_plugin | — | — |
| jenkins | credentials_plugin | — | — |
| jenkins | cvs | <= 2.19 | — |
| jenkins | cvs_plugin | — | — |
| jenkins | deprecated_groovy_libraries_plugin | — | — |
| jenkins | extended_choice_parameter_plugin | — | — |
| jenkins | gerrit_trigger_plugin | — | — |
| jenkins | git_parameter_plugin | — | — |
| jenkins | google_compute_engine_plugin | — | — |
| jenkins | input_step_plugin | — | — |
| jenkins | jira_plugin | — | — |
| jenkins | job_dsl_plugin | — | — |
| jenkins | job_generator_plugin | — | — |
| jenkins | mask_passwords_plugin | — | — |
| jenkins | maven_release_plugin | — | — |
| jenkins | node_and_label_parameter_plugin | — | — |
| jenkins | promotion_names_in_promoted_builds_plugin | — | — |
| jenkins | publish_over_ftp_plugin | — | — |
| jenkins | rebuilder_plugin | — | — |
| jenkins | release_plugin | — | — |
| jenkins | show_build_parameters_plugin | — | — |
| jenkins | subversion_plugin | — | — |
| jenkins | unleash_maven_plugin | — | — |
| jenkins_project | jenkins_cvs_plugin | unspecified – 2.19 | — |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Stored XSS in Jenkins CVS Plugin
ghsa·2022-04-13
CVE-2022-29037 [MEDIUM] CWE-79 Stored XSS in Jenkins CVS Plugin
Stored XSS in Jenkins CVS Plugin
Jenkins CVS Plugin 2.19 and earlier does not escape the name and description of CVS Symbolic Name parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
OSV
Stored XSS in Jenkins CVS Plugin
osv·2022-04-13
CVE-2022-29037 [MEDIUM] Stored XSS in Jenkins CVS Plugin
Stored XSS in Jenkins CVS Plugin
Jenkins CVS Plugin 2.19 and earlier does not escape the name and description of CVS Symbolic Name parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
Jenkins
Jenkins Security Advisory 2022-04-12
vendor_jenkins·2022-04-12·CVSS 5.4
CVE-2017-2601 [MEDIUM] Jenkins Security Advisory 2022-04-12
Title: Jenkins Security Advisory 2022-04-12
Jenkins Security Advisory 2022-04-12
Jenkins Security Home
For Administrators
Overview
Terminology
Vulnerabilities and Scoring
Security Advisories
Security Issues
Advisory Schedule
Vulnerabilities in Plugins
How We Fix Security Issues
For Reporters
Reporting Vulnerabilities
Jenkins CNA
For Maintainers
Overview
Vulnerabilities in Plugins
Jenkins Security Team
About
Contributions
This advisory announces vulnerabilities in the following Jenkins deliverables:
Credentials
Plugin
CVS
Plugin
Extended Choice Parameter
Plugin
Gerrit Trigger
Plugin
Git Parameter
Plugin
Google Compute Engine
Plugin
Jira
Plugin
Job Generator
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-04-12
Published