Stored Cross-Site Scripting Vulnerability in Jenkins Anchore Container Image Scanner Plugin
CVE-2022-41225

5.4MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Anchore Container Image Scanner Plugin
Vendor: CVE Published:; 21 September 2022

Summary

The Anchore Container Image Scanner Plugin for Jenkins, specifically version 1.0.24 and earlier, is vulnerable to a stored cross-site scripting (XSS) attack. This vulnerability occurs due to improper escaping of content received from the Anchore engine API, allowing attackers to execute malicious scripts in the context of users' sessions. If an attacker has control over the API responses from the Anchore engine, they can exploit this flaw to inject malicious scripts, compromising the security of the Jenkins environment and potentially exposing sensitive data.

Affected Version(s)

Jenkins Anchore Container Image Scanner Plugin <= 1.0.24

References

https://www.jenkins.io/security/advisory/2022-09-21/#SECU...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Sep 21, 2022
Vulnerability Reserved
Sep 21, 2022