Stored Cross-Site Scripting Vulnerability in Jenkins Stash Branch Parameter Plugin
CVE-2022-34198

5.4MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Stash Branch Parameter Plugin
Vendor: CVE Published:; 23 June 2022

Summary

The Jenkins Stash Branch Parameter Plugin versions 0.3.0 and prior allow an attacker with Item/Configure permission to exploit a stored cross-site scripting (XSS) vulnerability. This is due to the plugin's failure to properly escape the name and description of Stash Branch parameters when rendering them in views. Consequently, malicious users can inject scripts that will execute in the context of users visiting affected views, potentially leading to unauthorized actions and data exposure.

Affected Version(s)

Jenkins Stash Branch Parameter Plugin <= 0.3.0

References

https://www.jenkins.io/security/advisory/2022-06-22/#SECU...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jun 23, 2022
Vulnerability Reserved
Jun 21, 2022