Stored Cross-Site Scripting Vulnerability in Jenkins Rundeck Plugin
CVE-2022-30956

5.4MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Rundeck Plugin
Vendor: CVE Published:; 17 May 2022

What is CVE-2022-30956?

The Jenkins Rundeck Plugin versions up to 3.6.10 are susceptible to a stored cross-site scripting vulnerability due to inadequate restrictions on URL schemes within Rundeck webhook submissions. This flaw allows attackers to craft malicious payloads that, when sent via webhooks, can execute arbitrary scripts in the context of the affected user's session, potentially leading to unauthorized data access and other security issues.

Affected Version(s)

Jenkins Rundeck Plugin <= 3.6.10

References

https://www.jenkins.io/security/advisory/2022-05-17/#SECU...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 17, 2022
Vulnerability Reserved
May 16, 2022

CVE-2022-30956 Data

JSON