CVE-2022-34178 — Cross-site Scripting in Project Jenkins Embeddable Build Status Plugin

CWE-79 — Cross-site Scripting5 documents5 sources

Severity

6.1MEDIUMNVD

EPSS

12.5%

top 6.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Embeddable Build Status Plugin Jenkins Embeddable Build Status

Timeline

PublishedJun 23

Latest updateJun 24

Description

Jenkins Embeddable Build Status Plugin 2.0.3 allows specifying a 'link' query parameter that build status badges will link to, without restricting possible values, resulting in a reflected cross-site scripting (XSS) vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5jenkins_project/jenkins_embeddable_build_status_plugin2.0.3

▶NVDjenkins/embeddable_build_status2.0.3

🔴Vulnerability Details

GHSA

Reflected Cross site scripting in Jenkins Embeddable Build Status Plugin↗2022-06-24

▶

OSV

Reflected Cross site scripting in Jenkins Embeddable Build Status Plugin↗2022-06-24

▶

CVEList

CVE-2022-34178: Jenkins Embeddable Build Status Plugin 2↗2022-06-22

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2022-06-22↗2022-06-22

▶