CVE-2022-34777
published 2022-06-30CVE-2022-34777: Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored…
PriorityP341medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
72.36%
99.4th percentile
Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
Affected
26 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gitlab | gitlab | — | — |
| jenkins | build_notifications_plugin | — | — |
| jenkins | cisco_spark_plugin | — | — |
| jenkins | deployment_dashboard_plugin | — | — |
| jenkins | elasticsearch_query_plugin | — | — |
| jenkins | failed_job_deactivator_plugin | — | — |
| jenkins | feedback_panel_plugin | — | — |
| jenkins | gitlab | <= 1.5.34 | — |
| jenkins | gitlab_plugin | — | — |
| jenkins | ids_in_xebialabs_xl_release_plugin | — | — |
| jenkins | jigomerge_plugin | — | — |
| jenkins | matrix_reloaded_plugin | — | — |
| jenkins | opsgenie_plugin | — | — |
| jenkins | plot_plugin | — | — |
| jenkins | project_inheritance_plugin | — | — |
| jenkins | recipe_plugin | — | — |
| jenkins | request_rename_or_delete_plugin | — | — |
| jenkins | rich_text_publisher_plugin | — | — |
| jenkins | rocketchat_notifier_plugin | — | — |
| jenkins | rqm_plugin | — | — |
| jenkins | skype_notifier_plugin | — | — |
| jenkins | testng_results_plugin | — | — |
| jenkins | validating_email_parameter_plugin | — | — |
| jenkins | xebialabs_xl_release_plugin | — | — |
| jenkins | xpath_configuration_viewer_plugin | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Stored XSS vulnerability exists in Jenkins GitLab Plugin versions 1.5.34 and earlier, triggered via webhook-triggered build descriptions. Monitor for unsanitized script injection in build description fields set by users with Item/Configure permission. ↗
- ·Exploitation requires the attacker to have Item/Configure permission in Jenkins, limiting the attack surface to authenticated users with that specific privilege level. ↗
- ·The vulnerability affects Jenkins GitLab Plugin version 1.5.34 and earlier; environments running versions up to and including 1.5.34 are at risk. ↗
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GitLab
CVE-2022-34777: Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a sto
vendor_gitlab·2022-06-30·CVSS 5.4
CVE-2022-34777 [MEDIUM] CWE-79 CVE-2022-34777: Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a sto
CVE-2022-34777: Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
Jenkins
Jenkins Security Advisory 2022-06-30
vendor_jenkins·2022-06-30·CVSS 5.4
CVE-2017-2601 [MEDIUM] Jenkins Security Advisory 2022-06-30
Title: Jenkins Security Advisory 2022-06-30
Jenkins Security Advisory 2022-06-30
Jenkins Security Home
For Administrators
Overview
Terminology
Vulnerabilities and Scoring
Security Advisories
Security Issues
Advisory Schedule
Vulnerabilities in Plugins
How We Fix Security Issues
For Reporters
Reporting Vulnerabilities
Jenkins CNA
For Maintainers
Overview
Vulnerabilities in Plugins
Jenkins Security Team
About
Contributions
This advisory announces vulnerabilities in the following Jenkins deliverables:
Build Notifications
Plugin
build-metrics
Plugin
Cisco Spark
Plugin
Deployment Dashboard
Plugin
Elasticsearch Query
Plugin
eXtreme Feedback Panel
Plugin
Failed Job D
OSV
Cross-site Scripting in Jenkins GitLab Plugin
osv·2022-07-01
CVE-2022-34777 [HIGH] Cross-site Scripting in Jenkins GitLab Plugin
Cross-site Scripting in Jenkins GitLab Plugin
Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. GitLab Plugin 1.5.35 does not show user-provided fields in the build cause of webhook-triggered builds.
GitLab Plugin 1.5.35 does not show user-provided fields in the build cause of webhook-triggered builds.
GHSA
Cross-site Scripting in Jenkins GitLab Plugin
ghsa·2022-07-01
CVE-2022-34777 [HIGH] CWE-79 Cross-site Scripting in Jenkins GitLab Plugin
Cross-site Scripting in Jenkins GitLab Plugin
Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. GitLab Plugin 1.5.35 does not show user-provided fields in the build cause of webhook-triggered builds.
GitLab Plugin 1.5.35 does not show user-provided fields in the build cause of webhook-triggered builds.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-06-30
Published