Stored Cross-Site Scripting in Jenkins Folder-Based Authorization Strategy Plugin
CVE-2022-27200

4.8MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Folder-based Authorization Strategy Plugin
Vendor: CVE Published:; 15 March 2022

Summary

The Folder-based Authorization Strategy Plugin for Jenkins prior to version 1.4 fails to properly escape role names displayed on its configuration form. This flaw allows attackers with Overall/Administer permissions to inject malicious scripts into the configuration interface, leading to stored cross-site scripting vulnerabilities that could compromise the security of the application and its users.

Affected Version(s)

Jenkins Folder-based Authorization Strategy Plugin <= 1.3

References

https://www.jenkins.io/security/advisory/2022-03-15/#SECU...

x_refsource_CONFIRM

http://www.openwall.com/lists/oss-security/2022/03/15/2

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Mar 15, 2022
Vulnerability Reserved
Mar 15, 2022