Stored Cross-Site Scripting Vulnerability in Jenkins Maven Metadata Plugin
CVE-2022-36905

5.4MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Maven Metadata Plugin For Jenkins Ci Server Plugin
Vendor: CVE Published:; 27 July 2022

What is CVE-2022-36905?

The Jenkins Maven Metadata Plugin for the Jenkins CI server, version 2.2 and earlier, is susceptible to a stored cross-site scripting (XSS) vulnerability. This weakness arises from the absence of proper URL validation for the Repository Base URL within the parameters related to listing Maven artifact versions. Attackers with Item/Configure permissions can exploit this flaw to inject malicious scripts, potentially compromising the security of the Jenkins environment.

Affected Version(s)

Jenkins Maven Metadata Plugin for Jenkins CI server Plugin <= 2.2

References

https://www.jenkins.io/security/advisory/2022-07-27/#SECU...

x_refsource_CONFIRM

http://www.openwall.com/lists/oss-security/2022/07/27/1

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 27, 2022
Vulnerability Reserved
Jul 27, 2022