CVE-2022-38664 — Cross-site Scripting in Project Jenkins JOB Configuration History Plugin

CWE-79 — Cross-site Scripting5 documents5 sources

Severity

5.4MEDIUMNVD

EPSS

16.3%

top 5.17%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins JOB Configuration History Plugin Jenkins JOB Configuration History

Timeline

PublishedAug 23

Latest updateAug 24

Description

Jenkins Job Configuration History Plugin 1165.v8cc9fd1f4597 and earlier does not escape the job name on the System Configuration History page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure job names.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5jenkins_project/jenkins_job_configuration_history_pluginunspecified — 1165.v8cc9fd1f4597

▶NVDjenkins/job_configuration_history1165.v8cc9fd1f4597

🔴Vulnerability Details

OSV

Cross-site Scripting in Jenkins Job Configuration History Plugin↗2022-08-24

▶

GHSA

Cross-site Scripting in Jenkins Job Configuration History Plugin↗2022-08-24

▶

CVEList

CVE-2022-38664: Jenkins Job Configuration History Plugin 1165↗2022-08-23

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2022-08-23↗2022-08-23

▶