Stored XSS in Jenkins Publish Over SSH Plugin by Cloudbees
CVE-2022-23110

4.8MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Publish Over Ssh Plugin
Vendor: CVE Published:; 12 January 2022

Summary

The Jenkins Publish Over SSH Plugin up to version 1.22 contains a vulnerability due to improper escaping of the SSH server name. This flaw permits attackers with Overall/Administer permissions to exploit the vulnerability, enabling stored cross-site scripting (XSS). When exploited, malicious scripts can be injected and stored, posing a significant risk to users accessing the affected Jenkins instance. Administrators are urged to upgrade to the latest version and implement security best practices to mitigate potential risks.

Affected Version(s)

Jenkins Publish Over SSH Plugin <= 1.22

References

https://www.jenkins.io/security/advisory/2022-01-12/#SECU...

x_refsource_CONFIRM

http://www.openwall.com/lists/oss-security/2022/01/12/6

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jan 12, 2022
Vulnerability Reserved
Jan 11, 2022