Stored Cross-Site Scripting Vulnerability in Jenkins Maven Metadata Plugin
CVE-2022-36905

5.4MEDIUM

Key Information:

Vendor
Jenkins
Status
Jenkins Maven Metadata Plugin For Jenkins Ci Server Plugin
Vendor
CVE Published:
27 July 2022

Summary

The Jenkins Maven Metadata Plugin for the Jenkins CI server, version 2.2 and earlier, is susceptible to a stored cross-site scripting (XSS) vulnerability. This weakness arises from the absence of proper URL validation for the Repository Base URL within the parameters related to listing Maven artifact versions. Attackers with Item/Configure permissions can exploit this flaw to inject malicious scripts, potentially compromising the security of the Jenkins environment.

Affected Version(s)

Jenkins Maven Metadata Plugin for Jenkins CI server Plugin <= 2.2

References

https://www.jenkins.io/security/advisory/2022-07-27/#SECU...
x_refsource_CONFIRM
http://www.openwall.com/lists/oss-security/2022/07/27/1
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.