CVE-2022-43409 — Cross-site Scripting in Project Jenkins Pipeline Supporting Apis Plugin

CWE-79 — Cross-site Scripting6 documents6 sources

Severity

5.4MEDIUMNVD

EPSS

4.2%

top 11.29%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Pipeline Supporting Apis Plugin Jenkins Pipeline

Timeline

PublishedOct 19

Description

Jenkins Pipeline: Supporting APIs Plugin 838.va_3a_087b_4055b and earlier does not sanitize or properly encode URLs of hyperlinks sending POST requests in build logs, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create Pipelines.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5jenkins_project/jenkins_pipeline_supporting_apis_pluginunspecified — 838.va_3a_087b_4055b

▶NVDjenkins/pipeline838.va_3a_087b_4055b

🔴Vulnerability Details

OSV

Stored XSS vulnerability in Jenkins Pipeline: Supporting APIs Plugin↗2022-10-19

▶

CVEList

CVE-2022-43409: Jenkins Pipeline: Supporting APIs Plugin 838↗2022-10-19

▶

GHSA

Stored XSS vulnerability in Jenkins Pipeline: Supporting APIs Plugin↗2022-10-19

▶

📋Vendor Advisories

Red Hat

jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline: Supporting APIs Plugin↗2022-10-19

▶

Jenkins

Jenkins Security Advisory 2022-10-19↗2022-10-19

▶