CVE-2022-45380
published 2022-11-15CVE-2022-45380: Jenkins JUnit Plugin 1159.v0b_396e1e07dd and earlier converts HTTP(S) URLs in test report output to clickable links in an unsafe manner, resulting in a stored…
PriorityP424medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.62%
45.1th percentile
Jenkins JUnit Plugin 1159.v0b_396e1e07dd and earlier converts HTTP(S) URLs in test report output to clickable links in an unsafe manner, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
Affected
23 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | associated_files_plugin | — | — |
| jenkins | bart_plugin | — | — |
| jenkins | cccc_plugin | — | — |
| jenkins | cluster_statistics_plugin | — | — |
| jenkins | config_rotator_plugin | — | — |
| jenkins | delete_log_plugin | — | — |
| jenkins | japex_plugin | — | — |
| jenkins | junit | < 1160.vf1f01a_a_ea_b_7f | 1160.vf1f01a_a_ea_b_7f |
| jenkins | junit_plugin | — | — |
| jenkins | naginator_plugin | — | — |
| jenkins | ns-nd_integration_performance_publisher_plugin | — | — |
| jenkins | pipeline_utility_steps_plugin | — | — |
| jenkins | registry_notification_plugin | — | — |
| jenkins | reverse_proxy_auth_plugin | — | — |
| jenkins | script_security_plugin | — | — |
| jenkins | sourcemonitor_plugin | — | — |
| jenkins | support_core_plugin | — | — |
| jenkins | urls_in_the_plugin | — | — |
| jenkins | violations_plugin | — | — |
| jenkins | xml_linter_plugin | — | — |
| jenkins | xp-dev_plugin | — | — |
| jenkins_project | jenkins_junit_plugin | unspecified – 1159.v0b_396e1e07dd | — |
| msrc | cbl2_junit_on_cbl_mariner_2.0 | — | — |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
vendor_msrc5.4MEDIUM
vendor_redhat5.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
jenkins-plugin/JUnit: Stored XSS vulnerability in JUnit Plugin
vendor_redhat·2022-11-15·CVSS 5.4
CVE-2022-45380 [MEDIUM] CWE-79 jenkins-plugin/JUnit: Stored XSS vulnerability in JUnit Plugin
jenkins-plugin/JUnit: Stored XSS vulnerability in JUnit Plugin
Jenkins JUnit Plugin 1159.v0b_396e1e07dd and earlier converts HTTP(S) URLs in test report output to clickable links in an unsafe manner, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
A flaw was found in the JUnit Jenkins Plugin. The affected version of the JUnit plugin converts HTTP(S) URLs in test report output to clickable links, which leads to a stored Cross-site scripting (XSS) attack.
Statement: OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of scope of the ELS support; hence OpenShift 3.11 Jenkins component is marked in this CVE as Out of Support Scope.
Package: jenkins-2-plugins (OpenShift Developer Too
Jenkins
Jenkins Security Advisory 2022-11-15
vendor_jenkins·2022-11-15·CVSS 7.5
CVE-2022-33980 [HIGH] Jenkins Security Advisory 2022-11-15
Title: Jenkins Security Advisory 2022-11-15
Jenkins Security Advisory 2022-11-15
Jenkins Security Home
For Administrators
Overview
Terminology
Vulnerabilities and Scoring
Security Advisories
Security Issues
Advisory Schedule
Vulnerabilities in Plugins
How We Fix Security Issues
For Reporters
Reporting Vulnerabilities
Jenkins CNA
For Maintainers
Overview
Vulnerabilities in Plugins
Jenkins Security Team
About
Contributions
This advisory announces vulnerabilities in the following Jenkins deliverables:
Associated Files
Plugin
BART
Plugin
CCCC
Plugin
CloudBees Docker Hub/Registry Notification
Plugin
Cluster Statistics
Plugin
Config Rotator
Plugin
Delete log
Plugin
Microsoft
Jenkins JUnit Plugin 1159.v0b_396e1e07dd and earlier converts HTTP(S) URLs in test report output to clickable links in an unsafe manner, resulting in a stored cross-site scripting (XSS) vulnerability
vendor_msrc·2022-11-08·CVSS 5.4
CVE-2022-45380 [MEDIUM] CWE-79 Jenkins JUnit Plugin 1159.v0b_396e1e07dd and earlier converts HTTP(S) URLs in test report output to clickable links in an unsafe manner, resulting in a stored cross-site scripting (XSS) vulnerability
Jenkins JUnit Plugin 1159.v0b_396e1e07dd and earlier converts HTTP(S) URLs in test report output to clickable links in an unsafe manner, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact
OSV
Jenkins JUnit Plugin subject to Cross-site Scripting via URL conversion
osv·2022-11-16
CVE-2022-45380 [HIGH] Jenkins JUnit Plugin subject to Cross-site Scripting via URL conversion
Jenkins JUnit Plugin subject to Cross-site Scripting via URL conversion
JUnit Plugin 1159.v0b_396e1e07dd and earlier converts HTTP(S) URLs in test report output to clickable links.
This is done in an unsafe manner, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
JUnit Plugin 1160.vf1f01a_a_ea_b_7f no longer converts URLs to clickable links.
GHSA
Jenkins JUnit Plugin subject to Cross-site Scripting via URL conversion
ghsa·2022-11-16
CVE-2022-45380 [HIGH] CWE-79 Jenkins JUnit Plugin subject to Cross-site Scripting via URL conversion
Jenkins JUnit Plugin subject to Cross-site Scripting via URL conversion
JUnit Plugin 1159.v0b_396e1e07dd and earlier converts HTTP(S) URLs in test report output to clickable links.
This is done in an unsafe manner, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
JUnit Plugin 1160.vf1f01a_a_ea_b_7f no longer converts URLs to clickable links.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-11-15
Published